The following issues were found
drivers/input/keyboard/maple_keyb.c
4 issues
Line: 29
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dc_kbd {
struct input_dev *dev;
unsigned short keycode[NR_SCANCODES];
unsigned char new[8];
unsigned char old[8];
};
static const unsigned short dc_kbd_keycode[NR_SCANCODES] = {
KEY_RESERVED, KEY_RESERVED, KEY_RESERVED, KEY_RESERVED, KEY_A, KEY_B,
Reported by FlawFinder.
Line: 30
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *dev;
unsigned short keycode[NR_SCANCODES];
unsigned char new[8];
unsigned char old[8];
};
static const unsigned short dc_kbd_keycode[NR_SCANCODES] = {
KEY_RESERVED, KEY_RESERVED, KEY_RESERVED, KEY_RESERVED, KEY_A, KEY_B,
KEY_C, KEY_D, KEY_E, KEY_F, KEY_G, KEY_H, KEY_I, KEY_J, KEY_K, KEY_L,
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
input_sync(dev);
memcpy(kbd->old, kbd->new, 8);
}
static void dc_kbd_callback(struct mapleq *mq)
{
struct maple_device *mapledev = mq->dev;
Reported by FlawFinder.
Line: 138
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (likely(mutex_trylock(&maple_keyb_mutex))) {
if (buf[1] == mapledev->function) {
memcpy(kbd->new, buf + 2, 8);
dc_scan_kbd(kbd);
}
mutex_unlock(&maple_keyb_mutex);
}
Reported by FlawFinder.
drivers/i3c/master/dw-i3c-master.c
4 issues
Line: 241
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __iomem *regs;
struct reset_control *core_rst;
struct clk *core_clk;
char version[5];
char type[5];
u8 addrs[MAX_DEVS];
};
struct dw_i3c_i2c_dev_data {
Reported by FlawFinder.
Line: 242
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct reset_control *core_rst;
struct clk *core_clk;
char version[5];
char type[5];
u8 addrs[MAX_DEVS];
};
struct dw_i3c_i2c_dev_data {
u8 index;
Reported by FlawFinder.
Line: 340
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (nbytes & 3) {
u32 tmp = 0;
memcpy(&tmp, bytes + (nbytes & ~3), nbytes & 3);
writesl(master->regs + RX_TX_DATA_PORT, &tmp, 1);
}
}
static void dw_i3c_master_read_rx_fifo(struct dw_i3c_master *master,
Reported by FlawFinder.
Line: 353
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 tmp;
readsl(master->regs + RX_TX_DATA_PORT, &tmp, 1);
memcpy(bytes + (nbytes & ~3), &tmp, nbytes & 3);
}
}
static struct dw_i3c_xfer *
dw_i3c_master_alloc_xfer(struct dw_i3c_master *master, unsigned int ncmds)
Reported by FlawFinder.
drivers/greybus/interface.c
4 issues
Line: 589
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gb_interface *intf = to_gb_interface(dev);
return sprintf(buf, "%s\n", gb_interface_type_string(intf));
}
static DEVICE_ATTR_RO(interface_type);
static struct attribute *interface_unipro_attrs[] = {
&dev_attr_ddbl1_manufacturer_id.attr,
Reported by FlawFinder.
Line: 472
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
}
return sprintf(buf, "%u\n", measurement);
}
static DEVICE_ATTR_RO(voltage_now);
static ssize_t current_now_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 491
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
}
return sprintf(buf, "%u\n", measurement);
}
static DEVICE_ATTR_RO(current_now);
static ssize_t power_now_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 510
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
}
return sprintf(buf, "%u\n", measurement);
}
static DEVICE_ATTR_RO(power_now);
static ssize_t power_state_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
drivers/infiniband/core/umem.c
4 issues
Line: 148
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* @access: IB_ACCESS_xxx flags for memory being pinned
*/
struct ib_umem *ib_umem_get(struct ib_device *device, unsigned long addr,
size_t size, int access)
{
struct ib_umem *umem;
struct page **page_list;
unsigned long lock_limit;
unsigned long new_pinned;
Reported by FlawFinder.
Line: 173
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (!can_do_mlock())
return ERR_PTR(-EPERM);
if (access & IB_ACCESS_ON_DEMAND)
return ERR_PTR(-EOPNOTSUPP);
umem = kzalloc(sizeof(*umem), GFP_KERNEL);
if (!umem)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
Line: 187
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* correctly.
*/
umem->iova = addr;
umem->writable = ib_access_writable(access);
umem->owning_mm = mm = current->mm;
mmgrab(mm);
page_list = (struct page **) __get_free_page(GFP_KERNEL);
if (!page_list) {
Reported by FlawFinder.
Line: 241
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
}
if (access & IB_ACCESS_RELAXED_ORDERING)
dma_attr |= DMA_ATTR_WEAK_ORDERING;
umem->nmap =
ib_dma_map_sg_attrs(device, umem->sg_head.sgl, umem->sg_nents,
DMA_BIDIRECTIONAL, dma_attr);
Reported by FlawFinder.
drivers/hv/ring_buffer.c
4 issues
Line: 114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *ring_buffer = hv_get_ring_buffer(ring_info);
u32 ring_buffer_size = hv_get_ring_buffersize(ring_info);
memcpy(ring_buffer + start_write_offset, src, srclen);
start_write_offset += srclen;
if (start_write_offset >= ring_buffer_size)
start_write_offset -= ring_buffer_size;
Reported by FlawFinder.
Line: 389
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOBUFS;
/* since ring is double mapped, only one copy is necessary */
memcpy(buffer, (const char *)desc + offset, packetlen);
/* Advance ring index to next packet descriptor */
__hv_pkt_iter_next(channel, desc, true);
/* Notify host of update */
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the Hyper-V packet out of the ring buffer */
desc_copy = (struct vmpacket_descriptor *)rbi->pkt_buffer;
memcpy(desc_copy, desc, pkt_len);
/*
* Hyper-V could still change len8 and offset8 after the earlier read.
* Ensure that desc_copy has legal values for len8 and offset8 that
* are consistent with the copy we just made
Reported by FlawFinder.
Line: 132
Column: 14
CWE codes:
120
20
*/
static void
hv_get_ringbuffer_availbytes(const struct hv_ring_buffer_info *rbi,
u32 *read, u32 *write)
{
u32 read_loc, write_loc, dsize;
/* Capture the read/write indices before they changed */
read_loc = READ_ONCE(rbi->ring_buffer->read_index);
Reported by FlawFinder.
drivers/iio/accel/adxl372.c
4 issues
Line: 449
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool ref_en, bool enable,
unsigned int threshold)
{
unsigned char buf[6];
unsigned char th_reg_high_val, th_reg_low_val, th_reg_high_addr;
/* scale factor is 100 mg/code */
th_reg_high_val = (threshold / 100) >> 3;
th_reg_low_val = ((threshold / 100) << 5) | (ref_en << 1) | enable;
Reported by FlawFinder.
Line: 614
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ADXL372_Z_AXIS_EN(st->fifo_axis_mask))
axis_sample[i++] = sample[2];
memcpy(sample, axis_sample, 3 * sizeof(__be16));
}
static void adxl372_push_event(struct iio_dev *indio_dev, s64 timestamp, u8 status2)
{
unsigned int ev_dir = IIO_EV_DIR_NONE;
Reported by FlawFinder.
Line: 988
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct adxl372_state *st = iio_priv(indio_dev);
return sprintf(buf, "%d\n", st->fifo_mode);
}
static ssize_t adxl372_get_fifo_watermark(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 998
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct adxl372_state *st = iio_priv(indio_dev);
return sprintf(buf, "%d\n", st->watermark);
}
static IIO_CONST_ATTR(hwfifo_watermark_min, "1");
static IIO_CONST_ATTR(hwfifo_watermark_max,
__stringify(ADXL372_FIFO_SIZE));
Reported by FlawFinder.
drivers/hwtracing/coresight/coresight-tmc-core.c
4 issues
Line: 37
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void tmc_wait_for_tmcready(struct tmc_drvdata *drvdata)
{
struct coresight_device *csdev = drvdata->csdev;
struct csdev_access *csa = &csdev->access;
/* Ensure formatter, unformatter and hardware fifo are empty */
if (coresight_timeout(csa, TMC_STS, TMC_STS_TMCREADY_BIT, 1)) {
dev_err(&csdev->dev,
"timeout while waiting for TMC to be Ready\n");
Reported by FlawFinder.
Line: 49
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void tmc_flush_and_stop(struct tmc_drvdata *drvdata)
{
struct coresight_device *csdev = drvdata->csdev;
struct csdev_access *csa = &csdev->access;
u32 ffcr;
ffcr = readl_relaxed(drvdata->base + TMC_FFCR);
ffcr |= TMC_FFCR_STOP_ON_FLUSH;
writel_relaxed(ffcr, drvdata->base + TMC_FFCR);
Reported by FlawFinder.
Line: 298
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct tmc_drvdata *drvdata = dev_get_drvdata(dev->parent);
unsigned long val = drvdata->trigger_cntr;
return sprintf(buf, "%#lx\n", val);
}
static ssize_t trigger_cntr_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
Line: 323
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct tmc_drvdata *drvdata = dev_get_drvdata(dev->parent);
return sprintf(buf, "%#x\n", drvdata->size);
}
static ssize_t buffer_size_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_dp_link_training.c
4 issues
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum drm_dp_phy dp_phy)
{
u8 *phy_caps = intel_dp_lttpr_phy_caps(intel_dp, dp_phy);
char phy_name[10];
intel_dp_phy_name(dp_phy, phy_name, sizeof(phy_name));
if (drm_dp_read_lttpr_phy_caps(&intel_dp->aux, dp_phy, phy_caps) < 0) {
drm_dbg_kms(&dp_to_i915(intel_dp)->drm,
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = dp_train_pat;
/* DP_TRAINING_LANEx_SET follow DP_TRAINING_PATTERN_SET */
memcpy(buf + 1, intel_dp->train_set, crtc_state->lane_count);
len = crtc_state->lane_count + 1;
return drm_dp_dpcd_write(&intel_dp->aux, reg, buf, len) == len;
}
Reported by FlawFinder.
Line: 403
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct drm_i915_private *dev_priv = dp_to_i915(intel_dp);
u8 train_set = intel_dp->train_set[0];
char phy_name[10];
drm_dbg_kms(&dev_priv->drm, "Using vswing level %d%s, pre-emphasis level %d%s, at %s\n",
train_set & DP_TRAIN_VOLTAGE_SWING_MASK,
train_set & DP_TRAIN_MAX_SWING_REACHED ? " (max)" : "",
(train_set & DP_TRAIN_PRE_EMPHASIS_MASK) >>
Reported by FlawFinder.
Line: 787
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum drm_dp_phy dp_phy)
{
struct intel_connector *intel_connector = intel_dp->attached_connector;
char phy_name[10];
bool ret = false;
if (!intel_dp_link_training_clock_recovery(intel_dp, crtc_state, dp_phy))
goto out;
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/firmware.c
4 issues
Line: 362
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (bytes < 8) {
reg = 0;
memcpy(®, &data[offset], bytes);
} else if (aligned) {
reg = *(u64 *)&data[offset];
} else {
memcpy(®, &data[offset], 8);
}
Reported by FlawFinder.
Line: 366
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (aligned) {
reg = *(u64 *)&data[offset];
} else {
memcpy(®, &data[offset], 8);
}
write_csr(dd, DC_DC8051_CFG_RAM_ACCESS_WR_DATA, reg);
/* wait until ACCESS_COMPLETED is set */
count = 0;
Reported by FlawFinder.
Line: 794
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < qw_size; i++, data += 8) {
u64 value;
memcpy(&value, data, 8);
write_csr(dd, what + (8 * i), value);
}
}
}
Reported by FlawFinder.
Line: 2118
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* We expect the field to be byte aligned and whole byte
* lengths if we are here
*/
memcpy(data, src_ptr, wlen);
return 0;
}
break;
case PLATFORM_CONFIG_PORT_TABLE:
/* Port table is 4 DWORDS */
Reported by FlawFinder.
drivers/input/rmi4/rmi_f34.h
4 issues
Line: 211
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int bootloader_size;
unsigned int display_cfg_offset;
unsigned char bl_version;
unsigned char product_id[PRODUCT_ID_SIZE + 1];
unsigned char cstmr_product_id[PRODUCT_ID_SIZE + 1];
struct block_data bootloader;
struct block_data ui_firmware;
struct block_data ui_config;
struct block_data dp_config;
Reported by FlawFinder.
Line: 212
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int display_cfg_offset;
unsigned char bl_version;
unsigned char product_id[PRODUCT_ID_SIZE + 1];
unsigned char cstmr_product_id[PRODUCT_ID_SIZE + 1];
struct block_data bootloader;
struct block_data ui_firmware;
struct block_data ui_config;
struct block_data dp_config;
struct block_data fl_config;
Reported by FlawFinder.
Line: 295
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rmi_function *fn;
u8 bl_version;
unsigned char bootloader_id[5];
unsigned char configuration_id[CONFIG_ID_SIZE*2 + 1];
int update_status;
int update_progress;
int update_size;
Reported by FlawFinder.
Line: 296
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 bl_version;
unsigned char bootloader_id[5];
unsigned char configuration_id[CONFIG_ID_SIZE*2 + 1];
int update_status;
int update_progress;
int update_size;
Reported by FlawFinder.