The following issues were found
drivers/input/tablet/pegasus_notetaker.c
4 issues
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mutex pm_mutex;
bool is_open;
char name[128];
char phys[64];
struct work_struct init;
};
static int pegasus_control_msg(struct pegasus *pegasus, u8 *data, int len)
Reported by FlawFinder.
Line: 87
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool is_open;
char name[128];
char phys[64];
struct work_struct init;
};
static int pegasus_control_msg(struct pegasus *pegasus, u8 *data, int len)
{
Reported by FlawFinder.
Line: 104
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_buf[0] = NOTETAKER_REPORT_ID;
cmd_buf[1] = len;
memcpy(cmd_buf + 2, data, len);
result = usb_control_msg(pegasus->usbdev,
usb_sndctrlpipe(pegasus->usbdev, 0),
USB_REQ_SET_REPORT,
USB_TYPE_VENDOR | USB_DIR_OUT,
Reported by FlawFinder.
Line: 331
Column: 7
CWE codes:
126
strlcat(pegasus->name, dev->product, sizeof(pegasus->name));
}
if (!strlen(pegasus->name))
snprintf(pegasus->name, sizeof(pegasus->name),
"USB Pegasus Device %04x:%04x",
le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
Reported by FlawFinder.
drivers/infiniband/hw/mlx5/srq_cmd.c
4 issues
Line: 148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1UL << (in->log_page_size + MLX5_ADAPTER_PAGE_SHIFT),
pas, 0);
else
memcpy(pas, in->pas, pas_size);
MLX5_SET(create_srq_in, create_in, opcode,
MLX5_CMD_OP_CREATE_SRQ);
err = mlx5_cmd_exec(dev->mdev, create_in, inlen, create_out,
Reported by FlawFinder.
Line: 253
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1UL << (in->log_page_size + MLX5_ADAPTER_PAGE_SHIFT),
pas, 0);
else
memcpy(pas, in->pas, pas_size);
MLX5_SET(create_xrc_srq_in, create_in, opcode,
MLX5_CMD_OP_CREATE_XRC_SRQ);
memset(create_out, 0, sizeof(create_out));
err = mlx5_cmd_exec(dev->mdev, create_in, inlen, create_out,
Reported by FlawFinder.
Line: 371
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1UL << (in->log_page_size + MLX5_ADAPTER_PAGE_SHIFT),
pas, 0);
else
memcpy(pas, in->pas, pas_size);
MLX5_SET(create_rmp_in, create_in, opcode, MLX5_CMD_OP_CREATE_RMP);
err = mlx5_cmd_exec(dev->mdev, create_in, inlen, create_out, outlen);
if (!err) {
srq->srqn = MLX5_GET(create_rmp_out, create_out, rmpn);
Reported by FlawFinder.
Line: 510
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1UL << (in->log_page_size + MLX5_ADAPTER_PAGE_SHIFT),
pas, 0);
else
memcpy(pas, in->pas, pas_size);
if (in->type == IB_SRQT_TM) {
MLX5_SET(xrqc, xrqc, topology, MLX5_XRQC_TOPOLOGY_TAG_MATCHING);
if (in->flags & MLX5_SRQ_FLAG_RNDV)
MLX5_SET(xrqc, xrqc, offload, MLX5_XRQC_OFFLOAD_RNDV);
Reported by FlawFinder.
drivers/leds/led-class-multicolor.c
4 issues
Line: 102
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < mcled_cdev->num_colors; i++) {
index = mcled_cdev->subled_info[i].color_index;
len += sprintf(buf + len, "%s", led_colors[index]);
if (i < mcled_cdev->num_colors - 1)
len += sprintf(buf + len, " ");
}
buf[len++] = '\n';
Reported by FlawFinder.
Line: 79
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i;
for (i = 0; i < mcled_cdev->num_colors; i++) {
len += sprintf(buf + len, "%d",
mcled_cdev->subled_info[i].intensity);
if (i < mcled_cdev->num_colors - 1)
len += sprintf(buf + len, " ");
}
Reported by FlawFinder.
Line: 82
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf(buf + len, "%d",
mcled_cdev->subled_info[i].intensity);
if (i < mcled_cdev->num_colors - 1)
len += sprintf(buf + len, " ");
}
buf[len++] = '\n';
return len;
}
Reported by FlawFinder.
Line: 104
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
index = mcled_cdev->subled_info[i].color_index;
len += sprintf(buf + len, "%s", led_colors[index]);
if (i < mcled_cdev->num_colors - 1)
len += sprintf(buf + len, " ");
}
buf[len++] = '\n';
return len;
}
Reported by FlawFinder.
drivers/isdn/mISDN/dsp_dtmf.c
4 issues
Line: 29
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* digit matrix */
static char dtmf_matrix[4][4] =
{
{'1', '2', '3', 'A'},
{'4', '5', '6', 'B'},
{'7', '8', '9', 'C'},
{'*', '0', '#', 'D'}
Reported by FlawFinder.
Line: 298
Column: 10
CWE codes:
126
if (dsp_debug & DEBUG_DSP_DTMF)
printk(KERN_DEBUG "DTMF digit: %c\n",
what);
if ((strlen(dsp->dtmf.digits) + 1)
< sizeof(dsp->dtmf.digits)) {
dsp->dtmf.digits[strlen(
dsp->dtmf.digits) + 1] = '\0';
dsp->dtmf.digits[strlen(
dsp->dtmf.digits)] = what;
Reported by FlawFinder.
Line: 300
Column: 23
CWE codes:
126
what);
if ((strlen(dsp->dtmf.digits) + 1)
< sizeof(dsp->dtmf.digits)) {
dsp->dtmf.digits[strlen(
dsp->dtmf.digits) + 1] = '\0';
dsp->dtmf.digits[strlen(
dsp->dtmf.digits)] = what;
}
}
Reported by FlawFinder.
Line: 302
Column: 23
CWE codes:
126
< sizeof(dsp->dtmf.digits)) {
dsp->dtmf.digits[strlen(
dsp->dtmf.digits) + 1] = '\0';
dsp->dtmf.digits[strlen(
dsp->dtmf.digits)] = what;
}
}
}
} else
Reported by FlawFinder.
drivers/hwmon/w83627ehf.c
4 issues
Line: 880
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = \
to_sensor_dev_attr(attr); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", data->reg[nr] * 1000); \
}
show_tol_temp(tolerance)
show_tol_temp(target_temp)
Reported by FlawFinder.
Line: 967
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = \
to_sensor_dev_attr(attr); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", data->reg[nr]); \
} \
static ssize_t \
store_##reg(struct device *dev, struct device_attribute *attr, \
const char *buf, size_t count) \
{ \
Reported by FlawFinder.
Line: 1003
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = \
to_sensor_dev_attr(attr); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", \
step_time_from_reg(data->reg[nr], \
data->pwm_mode[nr])); \
} \
\
static ssize_t \
Reported by FlawFinder.
Line: 1084
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cpu0_vid_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct w83627ehf_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", vid_from_reg(data->vid, data->vrm));
}
DEVICE_ATTR_RO(cpu0_vid);
/* Case open detection */
Reported by FlawFinder.
drivers/hwmon/via-cputemp.c
4 issues
Line: 58
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct via_cputemp_data *data = dev_get_drvdata(dev);
if (attr->index == SHOW_NAME)
ret = sprintf(buf, "%s\n", data->name);
else /* show label */
ret = sprintf(buf, "Core %d\n", data->id);
return ret;
}
Reported by FlawFinder.
Line: 60
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (attr->index == SHOW_NAME)
ret = sprintf(buf, "%s\n", data->name);
else /* show label */
ret = sprintf(buf, "Core %d\n", data->id);
return ret;
}
static ssize_t temp_show(struct device *dev, struct device_attribute *devattr,
char *buf)
Reported by FlawFinder.
Line: 75
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return -EAGAIN;
return sprintf(buf, "%lu\n", ((unsigned long)eax & 0xffffff) * 1000);
}
static ssize_t cpu0_vid_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 89
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return -EAGAIN;
return sprintf(buf, "%d\n", vid_from_reg(~edx & 0x7f, data->vrm));
}
static SENSOR_DEVICE_ATTR_RO(temp1_input, temp, SHOW_TEMP);
static SENSOR_DEVICE_ATTR_RO(temp1_label, name, SHOW_LABEL);
static SENSOR_DEVICE_ATTR_RO(name, name, SHOW_NAME);
Reported by FlawFinder.
drivers/hwmon/adt7x10.c
4 issues
Line: 323
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct adt7x10_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", data->name);
}
static SENSOR_DEVICE_ATTR_RO(temp1_input, adt7x10_temp, 0);
static SENSOR_DEVICE_ATTR_RW(temp1_max, adt7x10_temp, 1);
static SENSOR_DEVICE_ATTR_RW(temp1_min, adt7x10_temp, 2);
Reported by FlawFinder.
Line: 235
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
}
return sprintf(buf, "%d\n", ADT7X10_REG_TO_TEMP(data,
data->temp[attr->index]));
}
static ssize_t adt7x10_temp_store(struct device *dev,
struct device_attribute *da,
Reported by FlawFinder.
Line: 278
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*/
if (nr == 2) /* min has positive offset, others have negative */
hyst = -hyst;
return sprintf(buf, "%d\n",
ADT7X10_REG_TO_TEMP(data, data->temp[nr]) - hyst);
}
static ssize_t adt7x10_t_hyst_store(struct device *dev,
struct device_attribute *da,
Reported by FlawFinder.
Line: 315
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%d\n", !!(ret & attr->index));
}
static ssize_t name_show(struct device *dev, struct device_attribute *da,
char *buf)
{
Reported by FlawFinder.
drivers/gpu/drm/virtio/virtgpu_vq.c
4 issues
Line: 715
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list_for_each_entry(cache_ent, &vgdev->cap_cache, head) {
if (cache_ent->version == le32_to_cpu(cmd->capset_version) &&
cache_ent->id == le32_to_cpu(cmd->capset_id)) {
memcpy(cache_ent->caps_cache, resp->capset_data,
cache_ent->size);
/* Copy must occur before is_valid is signalled. */
smp_wmb();
atomic_set(&cache_ent->is_valid, 1);
break;
Reported by FlawFinder.
Line: 735
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (start + len > le32_to_cpu(resp->size))
return -1;
memcpy(buf, resp->edid + start, len);
return 0;
}
static void virtio_gpu_cmd_get_edid_cb(struct virtio_gpu_device *vgdev,
struct virtio_gpu_vbuffer *vbuf)
Reported by FlawFinder.
Line: 1123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
output->cursor.pos.scanout_id = cpu_to_le32(output->index);
cur_p = virtio_gpu_alloc_cursor(vgdev, &vbuf);
memcpy(cur_p, &output->cursor, sizeof(output->cursor));
virtio_gpu_queue_cursor(vgdev, vbuf);
}
static void virtio_gpu_cmd_resource_uuid_cb(struct virtio_gpu_device *vgdev,
struct virtio_gpu_vbuffer *vbuf)
Reported by FlawFinder.
Line: 928
Column: 2
CWE codes:
120
cmd_p->hdr.type = cpu_to_le32(VIRTIO_GPU_CMD_CTX_CREATE);
cmd_p->hdr.ctx_id = cpu_to_le32(id);
cmd_p->nlen = cpu_to_le32(nlen);
strncpy(cmd_p->debug_name, name, sizeof(cmd_p->debug_name) - 1);
cmd_p->debug_name[sizeof(cmd_p->debug_name) - 1] = 0;
virtio_gpu_queue_ctrl_buffer(vgdev, vbuf);
}
void virtio_gpu_cmd_context_destroy(struct virtio_gpu_device *vgdev,
Reported by FlawFinder.
drivers/hwmon/tmp401.c
4 issues
Line: 288
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n",
tmp401_register_to_temp(data->temp[nr][index], data->config));
}
static ssize_t temp_crit_hyst_show(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 307
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
temp -= data->temp_crit_hyst * 1000;
mutex_unlock(&data->update_lock);
return sprintf(buf, "%d\n", temp);
}
static ssize_t status_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 320
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(data))
return PTR_ERR(data);
return sprintf(buf, "%d\n", !!(data->status[nr] & mask));
}
static ssize_t temp_store(struct device *dev,
struct device_attribute *devattr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 427
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct tmp401_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", data->update_interval);
}
static ssize_t update_interval_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/infiniband/hw/mthca/mthca_dev.h
4 issues
Line: 471
Column: 36
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int mthca_write_mtt(struct mthca_dev *dev, struct mthca_mtt *mtt,
int start_index, u64 *buffer_list, int list_len);
int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
u64 iova, u64 total_size, u32 access, struct mthca_mr *mr);
int mthca_mr_alloc_notrans(struct mthca_dev *dev, u32 pd,
u32 access, struct mthca_mr *mr);
int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
u64 *buffer_list, int buffer_size_shift,
int list_len, u64 iova, u64 total_size,
Reported by FlawFinder.
Line: 473
Column: 11
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
u64 iova, u64 total_size, u32 access, struct mthca_mr *mr);
int mthca_mr_alloc_notrans(struct mthca_dev *dev, u32 pd,
u32 access, struct mthca_mr *mr);
int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
u64 *buffer_list, int buffer_size_shift,
int list_len, u64 iova, u64 total_size,
u32 access, struct mthca_mr *mr);
void mthca_free_mr(struct mthca_dev *dev, struct mthca_mr *mr);
Reported by FlawFinder.
Line: 477
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
u64 *buffer_list, int buffer_size_shift,
int list_len, u64 iova, u64 total_size,
u32 access, struct mthca_mr *mr);
void mthca_free_mr(struct mthca_dev *dev, struct mthca_mr *mr);
int mthca_map_eq_icm(struct mthca_dev *dev, u64 icm_virt);
void mthca_unmap_eq_icm(struct mthca_dev *dev);
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long device_cap_flags;
u32 rev_id;
char board_id[MTHCA_BOARD_ID_LEN];
/* firmware info */
u64 fw_ver;
union {
struct {
Reported by FlawFinder.