Line: 39 Column: 8 CWE codes: 120 20

              	header = malloc(sizeof(*header));
	TEST_ASSERT(header, "Allocate memory for stats header");

	ret = read(stats_fd, header, sizeof(*header));
	TEST_ASSERT(ret == sizeof(*header), "Read stats header");
	size_desc = sizeof(*stats_desc) + header->name_size;

	/* Read kvm stats id string */
	id = malloc(header->name_size);

            

Line: 46 Column: 8 CWE codes: 120 20

              	/* Read kvm stats id string */
	id = malloc(header->name_size);
	TEST_ASSERT(id, "Allocate memory for id string");
	ret = read(stats_fd, id, header->name_size);
	TEST_ASSERT(ret == header->name_size, "Read id string");

	/* Check id string, that should start with "kvm" */
	TEST_ASSERT(!strncmp(id, "kvm", 3) && strlen(id) < header->name_size,
				"Invalid KVM stats type, id: %s", id);

            

Line: 50 Column: 40 CWE codes: 126

              	TEST_ASSERT(ret == header->name_size, "Read id string");

	/* Check id string, that should start with "kvm" */
	TEST_ASSERT(!strncmp(id, "kvm", 3) && strlen(id) < header->name_size,
				"Invalid KVM stats type, id: %s", id);

	/* Sanity check for other fields in header */
	if (header->num_desc == 0) {
		printf("No KVM stats defined!");

            

Line: 107 Column: 15 CWE codes: 126

              			break;
		}
		/* Check name string */
		TEST_ASSERT(strlen(pdesc->name) < header->name_size,
				"KVM stats name(%s) too long", pdesc->name);
		/* Check size field, which should not be zero */
		TEST_ASSERT(pdesc->size, "KVM descriptor(%s) with size of 0",
				pdesc->name);
		size_data += pdesc->size * sizeof(*stats_data);

            

Line: 181 Column: 16 CWE codes: 120 20
Suggestion: Check implementation on installation, or limit the size of all string inputs

              
	guest_modes_append_default();

	while ((opt = getopt(argc, argv, "hm:d:b:v:oi:")) != -1) {
		switch (opt) {
		case 'm':
			guest_modes_cmdline(optarg);
			break;
		case 'd':

            

Line: 195 Column: 15 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)

              			guest_percpu_mem_size = parse_size(optarg);
			break;
		case 'v':
			nr_vcpus = atoi(optarg);
			TEST_ASSERT(nr_vcpus > 0 && nr_vcpus <= max_vcpus,
				    "Invalid number of vcpus, must be between 1 and %d",
				    max_vcpus);
			break;
		case 'o':

            

Line: 204 Column: 33 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)

              			p.partition_vcpu_memory_access = false;
			break;
		case 'i':
			p.nr_memslot_modifications = atoi(optarg);
			break;
		case 'h':
		default:
			help(argv[0]);
			break;

            

Line: 87 Column: 3 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead

              	gpa = guest_test_phys_mem - pages * vm_get_page_size(vm);

	for (i = 0; i < nr_modifications; i++) {
		usleep(delay);
		vm_userspace_mem_region_add(vm, VM_MEM_SRC_ANONYMOUS, gpa,
					    DUMMY_MEMSLOT_INDEX, pages, 0);

		vm_mem_region_delete(vm, DUMMY_MEMSLOT_INDEX);
	}

            

Line: 91 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		TEST_ASSERT(run->mmio.phys_addr == MEM_REGION_GPA,
			    "Unexpected exit mmio address = 0x%llx",
			    run->mmio.phys_addr);
		memcpy(run->mmio.data, &MMIO_VAL, 8);
	}

	if (run->exit_reason == KVM_EXIT_IO && cmd == UCALL_ABORT)
		TEST_FAIL("%s at %s:%ld, val = %lu", (const char *)uc.args[0],
			  __FILE__, uc.args[1], uc.args[2]);

            

Line: 431 Column: 11 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)

              
#ifdef __x86_64__
	if (argc > 1)
		loops = atoi(argv[1]);
	else
		loops = 10;

	pr_info("Testing MOVE of in-use region, %d loops\n", loops);
	for (i = 0; i < loops; i++)

            

Line: 113 Column: 2 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead

              		    "sem_timedwait() failed: %d\n", errno);

	/* Wait for the vCPU thread to reenter the guest. */
	usleep(100000);
}

static struct kvm_vm *spawn_vm(pthread_t *vcpu_thread, void *guest_code)
{
	struct kvm_vm *vm;

            

Line: 203 Column: 2 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead

              	 * a tiny window.  Spin and defer the sync until the memslot is
	 * restored and guest behavior is once again deterministic.
	 */
	usleep(100000);

	/*
	 * Note, value in memory needs to be changed *before* restoring the
	 * memslot, else the guest could race the update and see "2".
	 */

            

Line: 84 Column: 6 CWE codes: 78
Suggestion: try using a library call that implements the same functionality if available

              	int warnings;
	FILE *f;

	f = popen("dmesg | grep \"WARNING:\" | wc -l", "r");
	fscanf(f, "%d", &warnings);
	fclose(f);

	return warnings;
}

            

Line: 70 Column: 2 CWE codes: 327
Suggestion: Use a more secure technique for acquiring random values

              				    kvmcpu, 0);
	tc.kvmcpu = kvmcpu;
	tc.run = run;
	srand(getpid());
	for (i = 0; i < NTHREAD; i++) {
		pthread_create(&th[i], NULL, thr, (void *)(uintptr_t)&tc);
		usleep(rand() % 10000);
	}
	for (i = 0; i < NTHREAD; i++)

            

Line: 60 Column: 8 CWE codes: 362

              	struct kvm_run *run;
	struct thread_context tc;

	kvm = open("/dev/kvm", O_RDWR);
	TEST_ASSERT(kvm != -1, "failed to open /dev/kvm");
	kvmvm = ioctl(kvm, KVM_CREATE_VM, 0);
	TEST_ASSERT(kvmvm != -1, "KVM_CREATE_VM failed");
	kvmcpu = ioctl(kvmvm, KVM_CREATE_VCPU, 0);
	TEST_ASSERT(kvmcpu != -1, "KVM_CREATE_VCPU failed");

            

Line: 73 Column: 3 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead

              	srand(getpid());
	for (i = 0; i < NTHREAD; i++) {
		pthread_create(&th[i], NULL, thr, (void *)(uintptr_t)&tc);
		usleep(rand() % 10000);
	}
	for (i = 0; i < NTHREAD; i++)
		pthread_join(th[i], NULL);
}


            

Line: 145 CWE codes: 775

              	if (strncmp(buf, "tsc", sizeof(buf)))
		goto skip_test;

	return;
skip_test:
	print_skip("Kernel does not use TSC clocksource - assuming that host TSC is not stable");
	exit(KSFT_SKIP);
}


            

Line: 173 Column: 2 CWE codes: 327
Suggestion: Use a more secure technique for acquiring random values

              	 * referenced by both main() and l1_guest_code() and using a global
	 * variable does not work.
	 */
	srand(time(NULL));
	l1_scale_factor = (rand() % 9) + 2;
	printf("L1's scale down factor is: %"PRIu64"\n", l1_scale_factor);
	printf("L2's scale up factor is: %llu\n", L2_SCALE_FACTOR);

	tsc_start = rdtsc();

            

Line: 133 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              static void stable_tsc_check_supported(void)
{
	FILE *fp;
	char buf[4];

	fp = fopen("/sys/devices/system/clocksource/clocksource0/current_clocksource", "r");
	if (fp == NULL)
		goto skip_test;


            

Line: 135 Column: 7 CWE codes: 362

              	FILE *fp;
	char buf[4];

	fp = fopen("/sys/devices/system/clocksource/clocksource0/current_clocksource", "r");
	if (fp == NULL)
		goto skip_test;

	if (fgets(buf, sizeof(buf), fp) == NULL)
		goto skip_test;

            

Line: 54 Column: 16 CWE codes: 120 20
Suggestion: Check implementation on installation, or limit the size of all string inputs

              	}

	/* Process arguments */
	while ((opt = getopt(argc, argv, "d:")) != -1) {
		switch (opt) {
		case 'd':
			strncpy(media_device, optarg, sizeof(media_device) - 1);
			media_device[sizeof(media_device)-1] = '\0';
			break;

            

Line: 42 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              int main(int argc, char **argv)
{
	int opt;
	char media_device[256];
	int count = 0;
	struct media_device_info mdi;
	int ret;
	int fd;


            

Line: 70 Column: 7 CWE codes: 362

              		ksft_exit_skip("Please run the test as root - Exiting.\n");

	/* Open Media device and keep it open */
	fd = open(media_device, O_RDWR);
	if (fd == -1) {
		printf("Media Device open errno %s\n", strerror(errno));
		exit(-1);
	}


            

Line: 57 Column: 4 CWE codes: 120

              	while ((opt = getopt(argc, argv, "d:")) != -1) {
		switch (opt) {
		case 'd':
			strncpy(media_device, optarg, sizeof(media_device) - 1);
			media_device[sizeof(media_device)-1] = '\0';
			break;
		default:
			printf("Usage: %s [-d </dev/mediaX>]\n", argv[0]);
			exit(-1);

            

Line: 219 CWE codes: 401

              		abort();
	}

	return pid;
}

static void join_sealing_thread(pid_t pid)
{
	waitpid(pid, NULL, 0);

            

Line: 261 Column: 7 CWE codes: 362

              
	/* open FUSE memfd file for GUP testing */
	printf("opening: %s\n", argv[1]);
	fd = open(argv[1], O_RDONLY | O_CLOEXEC);
	if (fd < 0) {
		printf("cannot open(\"%s\"): %m\n", argv[1]);
		abort();
	}


            

Line: 176 Column: 2 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead

              	 */

	/* wait 200ms for FUSE-request to be active */
	usleep(200000);

	/* unmount mapping before sealing to avoid i_mmap_writable failures */
	munmap(global_p, mfd_def_size);

	/* Try sealing the global file; expect EBUSY or success. Current

            

Line: 288 Column: 6 CWE codes: 120 20

              	 * This guarantees that the receive-buffer is pinned for 1s until the
	 * data is written into it. The racing ADD_SEALS should thus fail as
	 * the pages are still pinned. */
	r = read(fd, p, mfd_def_size);
	if (r < 0) {
		printf("read() failed: %m\n");
		abort();
	} else if (!r) {
		printf("unexpected EOF on read()\n");

            

Line: 52 Column: 2 CWE codes: 134
Suggestion: Use a constant for the format specification

              {
	va_list ap;
	va_start(ap, fmt);
	vfprintf(stderr, fmt, ap);
	va_end(ap);
	exit(EXIT_FAILURE);
}

static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap)

            

Line: 64 Column: 12 CWE codes: 134
Suggestion: Use a constant for the format specification

              	ssize_t written;
	int buf_len;

	buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
	if (buf_len < 0) {
		die("vsnprintf failed: %s\n",
		    strerror(errno));
	}
	if (buf_len >= sizeof(buf)) {

            

Line: 59 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap)
{
	char buf[4096];
	int fd;
	ssize_t written;
	int buf_len;

	buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);

            

Line: 73 Column: 7 CWE codes: 362

              		die("vsnprintf output truncated\n");
	}

	fd = open(filename, O_WRONLY);
	if (fd < 0) {
		if ((errno == ENOENT) && enoent_ok)
			return;
		die("open of %s failed: %s\n",
		    filename, strerror(errno));

            

Line: 388 Column: 6 CWE codes: 78
Suggestion: try using a library call that implements the same functionality if available

              {
	parse_opts(argc, argv);

	if (system("ip link set dev lo mtu 1500"))
		error(1, errno, "ip link set mtu");
	if (system("ip addr add dev lo 172.17.0.1/24"))
		error(1, errno, "ip addr add");

	run_test();

            

Line: 390 Column: 6 CWE codes: 78
Suggestion: try using a library call that implements the same functionality if available

              
	if (system("ip link set dev lo mtu 1500"))
		error(1, errno, "ip link set mtu");
	if (system("ip addr add dev lo 172.17.0.1/24"))
		error(1, errno, "ip addr add");

	run_test();

	fprintf(stderr, "OK\n\n");

            

Line: 312 Column: 14 CWE codes: 120 20
Suggestion: Check implementation on installation, or limit the size of all string inputs

              {
	int c;

	while ((c = getopt(argc, argv, "bcCdgl:qt:vV")) != -1) {
		switch (c) {
		case 'b':
			cfg_use_bind = true;
			break;
		case 'c':

            

Line: 52 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              /* test sending up to max mtu + 1 */
#define TEST_SZ	(sizeof(struct virtio_net_hdr) + ETH_HLEN + ETH_MAX_MTU + 1)

static char tbuf[TEST_SZ], rbuf[TEST_SZ];

static unsigned long add_csum_hword(const uint16_t *start, int num_u16)
{
	unsigned long sum = 0;
	int i;

            

Line: 160 Column: 10 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              		if (i == 0 && found_target)
			continue;

		len += sprintf(&buf[len], "%s ", argv[i]);
	}
	ret = parse_probe_event(buf);
	free(buf);
	return ret;
}

            

Line: 327 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
static void pr_err_with_code(const char *msg, int err)
{
	char sbuf[STRERR_BUFSIZE];

	pr_err("%s", msg);
	pr_debug(" Reason: %s (Code: %d)",
		 str_error_r(-err, sbuf, sizeof(sbuf)), err);
	pr_err("\n");

            

Line: 122 Column: 16 CWE codes: 126

              		params.target_used = false;

		found = 1;
		buf = ptr + (strlen(ptr) - 3);

		if (strcmp(buf, ".ko"))
			params.uprobes = true;

	}

            

Line: 150 Column: 10 CWE codes: 126

              		if (i == 0 && found_target)
			continue;

		len += strlen(argv[i]) + 1;
	}
	buf = zalloc(len + 1);
	if (buf == NULL)
		return -ENOMEM;
	len = 0;