The following issues were found
drivers/input/serio/i8042.c
4 issues
Line: 1377
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
serio->close = i8042_port_close;
} else {
snprintf(serio->name, sizeof(serio->name), "i8042 AUX%d port", idx);
snprintf(serio->phys, sizeof(serio->phys), I8042_MUX_PHYS_DESC, idx + 1);
strlcpy(serio->firmware_id, i8042_aux_firmware_id,
sizeof(serio->firmware_id));
}
port->serio = serio;
Reported by FlawFinder.
Line: 127
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool i8042_present;
static bool i8042_bypass_aux_irq_test;
static char i8042_kbd_firmware_id[128];
static char i8042_aux_firmware_id[128];
static struct fwnode_handle *i8042_kbd_fwnode;
#include "i8042.h"
Reported by FlawFinder.
Line: 128
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool i8042_present;
static bool i8042_bypass_aux_irq_test;
static char i8042_kbd_firmware_id[128];
static char i8042_aux_firmware_id[128];
static struct fwnode_handle *i8042_kbd_fwnode;
#include "i8042.h"
/*
Reported by FlawFinder.
Line: 991
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned long flags;
int n = 0;
unsigned char ctr[2];
/*
* Save the CTR for restore on unload / reboot.
*/
Reported by FlawFinder.
drivers/hwtracing/coresight/coresight-etm-perf.c
4 issues
Line: 77
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
#if IS_ENABLED(CONFIG_CORESIGHT_SOURCE_ETM4X)
pid_fmt = is_kernel_in_hyp_mode() ? ETM_OPT_CTXTID2 : ETM_OPT_CTXTID;
#endif
return sprintf(page, "config:%d\n", pid_fmt);
}
static struct device_attribute format_attr_contextid =
__ATTR(contextid, 0444, format_attr_contextid_show, NULL);
Reported by FlawFinder.
Line: 138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
if (event->parent)
memcpy(filters, event->parent->hw.addr_filters,
sizeof(*filters));
event->hw.addr_filters = filters;
return 0;
Reported by FlawFinder.
Line: 627
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int etm_perf_symlink(struct coresight_device *csdev, bool link)
{
char entry[sizeof("cpu9999999")];
int ret = 0, cpu = source_ops(csdev)->cpu_id(csdev);
struct device *pmu_dev = etm_pmu.dev;
struct device *cs_dev = &csdev->dev;
sprintf(entry, "cpu%d", cpu);
Reported by FlawFinder.
Line: 632
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device *pmu_dev = etm_pmu.dev;
struct device *cs_dev = &csdev->dev;
sprintf(entry, "cpu%d", cpu);
if (!etm_perf_up)
return -EPROBE_DEFER;
if (link) {
Reported by FlawFinder.
drivers/hid/hid-asus.c
4 issues
Line: 1195
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hid_info(hdev, "Fixing up Asus G752 keyb report descriptor\n");
/* copy the valid part */
memcpy(new_rdesc, rdesc, 61);
/* insert missing part */
memcpy(new_rdesc + 61, asus_g752_fixed_rdesc, sizeof(asus_g752_fixed_rdesc));
/* copy remaining data */
memcpy(new_rdesc + 61 + sizeof(asus_g752_fixed_rdesc), rdesc + 61, *rsize - 61);
Reported by FlawFinder.
Line: 1197
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy the valid part */
memcpy(new_rdesc, rdesc, 61);
/* insert missing part */
memcpy(new_rdesc + 61, asus_g752_fixed_rdesc, sizeof(asus_g752_fixed_rdesc));
/* copy remaining data */
memcpy(new_rdesc + 61 + sizeof(asus_g752_fixed_rdesc), rdesc + 61, *rsize - 61);
*rsize = new_size;
rdesc = new_rdesc;
Reported by FlawFinder.
Line: 1199
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* insert missing part */
memcpy(new_rdesc + 61, asus_g752_fixed_rdesc, sizeof(asus_g752_fixed_rdesc));
/* copy remaining data */
memcpy(new_rdesc + 61 + sizeof(asus_g752_fixed_rdesc), rdesc + 61, *rsize - 61);
*rsize = new_size;
rdesc = new_rdesc;
}
Reported by FlawFinder.
Line: 724
Column: 6
CWE codes:
126
drvdata->battery_desc.use_for_apm = 0;
drvdata->battery_desc.name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
"asus-keyboard-%s-battery",
strlen(hdev->uniq) ?
hdev->uniq : dev_name(&hdev->dev));
if (!drvdata->battery_desc.name)
return -ENOMEM;
drvdata->battery_next_query = jiffies;
Reported by FlawFinder.
drivers/hwmon/adcxx.c
4 issues
Line: 132
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t adcxx_name_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
return sprintf(buf, "%s\n", to_spi_device(dev)->modalias);
}
static struct sensor_device_attribute ad_input[] = {
SENSOR_ATTR_RO(name, adcxx_name, 0),
SENSOR_ATTR_RO(in_min, adcxx_min, 0),
Reported by FlawFinder.
Line: 78
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_dbg(dev, "raw value = 0x%x\n", value);
value = value * adc->reference >> 12;
status = sprintf(buf, "%d\n", value);
out:
mutex_unlock(&adc->lock);
return status;
}
Reported by FlawFinder.
Line: 88
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *devattr, char *buf)
{
/* The minimum reference is 0 for this chip family */
return sprintf(buf, "0\n");
}
static ssize_t adcxx_max_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 105
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_unlock(&adc->lock);
return sprintf(buf, "%d\n", reference);
}
static ssize_t adcxx_max_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/md/bcache/debug.c
4 issues
Line: 62
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
submit_bio_wait(bio);
bch_bbio_free(bio, b->c);
memcpy(ondisk, sorted, KEY_SIZE(&v->key) << 9);
bch_btree_node_read_done(v);
sorted = v->keys.set->data;
if (inmemory->keys != sorted->keys ||
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* XXX: cache set refcounting */
struct dump_iterator {
char buf[PAGE_SIZE];
size_t bytes;
struct cache_set *c;
struct keybuf keys;
};
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dump_iterator *i = file->private_data;
ssize_t ret = 0;
char kbuf[80];
while (size) {
struct keybuf_key *w;
unsigned int bytes = min(i->bytes, size);
Reported by FlawFinder.
Line: 239
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void bch_debug_init_cache_set(struct cache_set *c)
{
if (!IS_ERR_OR_NULL(bcache_debug)) {
char name[50];
snprintf(name, 50, "bcache-%pU", c->set_uuid);
c->debug = debugfs_create_file(name, 0400, bcache_debug, c,
&cache_set_debug_ops);
}
Reported by FlawFinder.
drivers/gpu/drm/i915/i915_sysfs.c
4 issues
Line: 183
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&i915->gem.contexts.lock);
if (i915->l3_parity.remap_info[slice])
memcpy(buf,
i915->l3_parity.remap_info[slice] + offset / sizeof(u32),
count);
spin_unlock(&i915->gem.contexts.lock);
return count;
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
count = round_down(count, sizeof(u32));
memcpy(remap_info + offset / sizeof(u32), buf, count);
/* NB: We defer the remapping until we switch to the context */
list_for_each_entry(ctx, &i915->gem.contexts.list, link)
ctx->remap_slice |= BIT(slice);
Reported by FlawFinder.
Line: 510
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t len = strlen(str);
ret = min_t(size_t, count, len - off);
memcpy(buf, str + off, ret);
}
return ret;
}
Reported by FlawFinder.
Line: 507
Column: 16
CWE codes:
126
i915_gpu_coredump_put(gpu);
} else {
const char *str = "No error state collected\n";
size_t len = strlen(str);
ret = min_t(size_t, count, len - off);
memcpy(buf, str + off, ret);
}
Reported by FlawFinder.
drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
4 issues
Line: 15
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct etnaviv_pm_domain;
struct etnaviv_pm_signal {
char name[64];
u32 data;
u32 (*sample)(struct etnaviv_gpu *gpu,
const struct etnaviv_pm_domain *domain,
const struct etnaviv_pm_signal *signal);
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct etnaviv_pm_domain {
char name[64];
/* profile register */
u32 profile_read;
u32 profile_config;
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
120
domain->id = domain->iter;
domain->nr_signals = dom->nr_signals;
strncpy(domain->name, dom->name, sizeof(domain->name));
domain->iter++;
if (domain->iter == nr_domains)
domain->iter = 0xff;
Reported by FlawFinder.
Line: 543
Column: 2
CWE codes:
120
sig = &dom->signal[signal->iter];
signal->id = signal->iter;
strncpy(signal->name, sig->name, sizeof(signal->name));
signal->iter++;
if (signal->iter == dom->nr_signals)
signal->iter = 0xffff;
Reported by FlawFinder.
drivers/hid/hid-corsair.c
4 issues
Line: 443
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret = -ENOMEM;
goto fail_name_alloc;
}
snprintf(name, name_sz, "%s" K90_BACKLIGHT_LED_SUFFIX,
dev_name(&dev->dev));
drvdata->backlight->removed = false;
drvdata->backlight->cdev.name = name;
drvdata->backlight->cdev.max_brightness = 3;
drvdata->backlight->cdev.brightness_set = k90_brightness_set;
Reported by FlawFinder.
Line: 488
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret = -ENOMEM;
goto fail_record_led_alloc;
}
snprintf(name, name_sz, "%s" K90_RECORD_LED_SUFFIX,
dev_name(&dev->dev));
k90->record_led.removed = false;
k90->record_led.cdev.name = name;
k90->record_led.cdev.max_brightness = 1;
k90->record_led.cdev.brightness_set = k90_brightness_set;
Reported by FlawFinder.
Line: 437
Column: 6
CWE codes:
126
}
name_sz =
strlen(dev_name(&dev->dev)) + sizeof(K90_BACKLIGHT_LED_SUFFIX);
name = kzalloc(name_sz, GFP_KERNEL);
if (!name) {
ret = -ENOMEM;
goto fail_name_alloc;
}
Reported by FlawFinder.
Line: 482
Column: 12
CWE codes:
126
drvdata->k90 = k90;
/* Init LED device for record LED */
name_sz = strlen(dev_name(&dev->dev)) + sizeof(K90_RECORD_LED_SUFFIX);
name = kzalloc(name_sz, GFP_KERNEL);
if (!name) {
ret = -ENOMEM;
goto fail_record_led_alloc;
}
Reported by FlawFinder.
drivers/input/tablet/acecad.c
4 issues
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define USB_DEVICE_ID_302 0x0008
struct usb_acecad {
char name[128];
char phys[64];
struct usb_interface *intf;
struct input_dev *input;
struct urb *irq;
Reported by FlawFinder.
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_acecad {
char name[128];
char phys[64];
struct usb_interface *intf;
struct input_dev *input;
struct urb *irq;
unsigned char *data;
Reported by FlawFinder.
Line: 189
Column: 8
CWE codes:
126
input_set_abs_params(input_dev, ABS_X, 0, 5000, 4, 0);
input_set_abs_params(input_dev, ABS_Y, 0, 3750, 4, 0);
input_set_abs_params(input_dev, ABS_PRESSURE, 0, 512, 0, 0);
if (!strlen(acecad->name))
snprintf(acecad->name, sizeof(acecad->name),
"USB Acecad Flair Tablet %04x:%04x",
le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
break;
Reported by FlawFinder.
Line: 200
Column: 8
CWE codes:
126
input_set_abs_params(input_dev, ABS_X, 0, 53000, 4, 0);
input_set_abs_params(input_dev, ABS_Y, 0, 2250, 4, 0);
input_set_abs_params(input_dev, ABS_PRESSURE, 0, 1024, 0, 0);
if (!strlen(acecad->name))
snprintf(acecad->name, sizeof(acecad->name),
"USB Acecad 302 Tablet %04x:%04x",
le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
break;
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/opregion.c
4 issues
Line: 153
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
v->header.vbt_size = sizeof(struct vbt);
v->header.bdb_offset = offsetof(struct vbt, bdb_header);
strcpy(&v->bdb_header.signature[0], "BIOS_DATA_BLOCK");
v->bdb_header.version = 186; /* child_dev_size = 33 */
v->bdb_header.header_size = sizeof(v->bdb_header);
v->bdb_header.bdb_size = sizeof(struct vbt) - sizeof(struct vbt_header);
Reported by FlawFinder.
Line: 225
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 *buf;
struct opregion_header *header;
struct vbt v;
const char opregion_signature[16] = OPREGION_SIGNATURE;
gvt_dbg_core("init vgpu%d opregion\n", vgpu->id);
vgpu_opregion(vgpu)->va = (void *)__get_free_pages(GFP_KERNEL |
__GFP_ZERO,
get_order(INTEL_GVT_OPREGION_SIZE));
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* emulated opregion with VBT mailbox only */
buf = (u8 *)vgpu_opregion(vgpu)->va;
header = (struct opregion_header *)buf;
memcpy(header->signature, opregion_signature,
sizeof(opregion_signature));
header->size = 0x8;
header->opregion_ver = 0x02000000;
header->mboxes = MBOX_VBT;
Reported by FlawFinder.
Line: 253
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* emulated vbt from virt vbt generation */
virt_vbt_generation(&v);
memcpy(buf + INTEL_GVT_OPREGION_VBT_OFFSET, &v, sizeof(struct vbt));
return 0;
}
static int map_vgpu_opregion(struct intel_vgpu *vgpu, bool map)
Reported by FlawFinder.