The following issues were found
drivers/input/misc/pcf8574_keypad.c
4 issues
Line: 121
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
}
__clear_bit(KEY_RESERVED, idev->keybit);
sprintf(lp->name, DRV_NAME);
sprintf(lp->phys, "kp_data/input0");
idev->name = lp->name;
idev->phys = lp->phys;
idev->id.bustype = BUS_I2C;
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short btncode[ARRAY_SIZE(pcf8574_kp_btncode)];
struct input_dev *idev;
struct i2c_client *client;
char name[64];
char phys[32];
unsigned char laststate;
};
static short read_state(struct kp_data *lp)
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *idev;
struct i2c_client *client;
char name[64];
char phys[32];
unsigned char laststate;
};
static short read_state(struct kp_data *lp)
{
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
__clear_bit(KEY_RESERVED, idev->keybit);
sprintf(lp->name, DRV_NAME);
sprintf(lp->phys, "kp_data/input0");
idev->name = lp->name;
idev->phys = lp->phys;
idev->id.bustype = BUS_I2C;
idev->id.vendor = 0x0001;
Reported by FlawFinder.
drivers/hwmon/menf21bmc_hwmon.c
4 issues
Line: 104
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
return sprintf(buf, "%s\n", input_names[attr->index]);
}
static ssize_t
in_show(struct device *dev, struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 116
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(drv_data))
return PTR_ERR(drv_data);
return sprintf(buf, "%d\n", drv_data->in_val[attr->index]);
}
static ssize_t
min_show(struct device *dev, struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 125
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct menf21bmc_hwmon *drv_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", drv_data->in_min[attr->index]);
}
static ssize_t
max_show(struct device *dev, struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 134
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct menf21bmc_hwmon *drv_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", drv_data->in_max[attr->index]);
}
static SENSOR_DEVICE_ATTR_RO(in0_input, in, 0);
static SENSOR_DEVICE_ATTR_RO(in0_min, min, 0);
static SENSOR_DEVICE_ATTR_RO(in0_max, max, 0);
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_dp.c
4 issues
Line: 127
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Needed, e.g., for Apple MBP 2017, 15 inch eDP Retina panel */
static const int quirk_rates[] = { 162000, 270000, 324000 };
memcpy(intel_dp->sink_rates, quirk_rates, sizeof(quirk_rates));
intel_dp->num_sink_rates = ARRAY_SIZE(quirk_rates);
return;
}
Reported by FlawFinder.
Line: 872
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void intel_dp_print_rates(struct intel_dp *intel_dp)
{
struct drm_i915_private *i915 = dp_to_i915(intel_dp);
char str[128]; /* FIXME: too big for stack? */
if (!drm_debug_enabled(DRM_UT_KMS))
return;
snprintf_int_array(str, sizeof(str),
Reported by FlawFinder.
Line: 2713
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
size_t length = sizeof(struct dp_sdp);
const int infoframe_size = HDMI_INFOFRAME_HEADER_SIZE + HDMI_DRM_INFOFRAME_SIZE;
unsigned char buf[HDMI_INFOFRAME_HEADER_SIZE + HDMI_DRM_INFOFRAME_SIZE];
ssize_t len;
if (size < length)
return -ENOSPC;
Reported by FlawFinder.
Line: 2764
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* HDMI_INFOFRAME_HEADER_SIZE
*/
BUILD_BUG_ON(sizeof(sdp->db) < HDMI_DRM_INFOFRAME_SIZE + 2);
memcpy(&sdp->db[2], &buf[HDMI_INFOFRAME_HEADER_SIZE],
HDMI_DRM_INFOFRAME_SIZE);
/*
* Size of DP infoframe sdp packet for HDR static metadata consists of
* - DP SDP Header(struct dp_sdp_header): 4 bytes
Reported by FlawFinder.
drivers/input/touchscreen/elants_i2c.c
4 issues
Line: 1180
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct elants_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%s\n",
ts->iap_mode == ELAN_IAP_OPERATIONAL ?
"Normal" : "Recovery");
}
static ssize_t show_calibration_count(struct device *dev,
Reported by FlawFinder.
Line: 1198
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
resp, sizeof(resp), 1,
"read ReK status");
if (error)
return sprintf(buf, "%d\n", error);
rek_count = get_unaligned_be16(&resp[2]);
return sprintf(buf, "0x%04x\n", rek_count);
}
Reported by FlawFinder.
Line: 1201
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "%d\n", error);
rek_count = get_unaligned_be16(&resp[2]);
return sprintf(buf, "0x%04x\n", rek_count);
}
static DEVICE_ATTR_WO(calibrate);
static DEVICE_ATTR(iap_mode, S_IRUGO, show_iap_mode, NULL);
static DEVICE_ATTR(calibration_count, S_IRUGO, show_calibration_count, NULL);
Reported by FlawFinder.
Line: 1248
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fmt_size = 4; /* 4 HEX digits */
}
return sprintf(buf, "%0*x\n", fmt_size, val);
}
static ELANTS_VERSION_ATTR(fw_version);
static ELANTS_VERSION_ATTR(hw_version);
static ELANTS_VERSION_ATTR(test_version);
Reported by FlawFinder.
drivers/hid/hid-multitouch.c
4 issues
Line: 1615
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strlen(hdev->name) + strlen(suffix) + 2,
GFP_KERNEL);
if (name) {
sprintf(name, "%s %s", hdev->name, suffix);
hi->input->name = name;
}
}
return 0;
Reported by FlawFinder.
Line: 391
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct hid_device *hdev = to_hid_device(dev);
struct mt_device *td = hid_get_drvdata(hdev);
return sprintf(buf, "%u\n", td->mtclass.quirks);
}
static ssize_t mt_set_quirks(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 1612
Column: 30
CWE codes:
126
if (suffix) {
name = devm_kzalloc(&hi->input->dev,
strlen(hdev->name) + strlen(suffix) + 2,
GFP_KERNEL);
if (name) {
sprintf(name, "%s %s", hdev->name, suffix);
hi->input->name = name;
}
Reported by FlawFinder.
Line: 1612
Column: 9
CWE codes:
126
if (suffix) {
name = devm_kzalloc(&hi->input->dev,
strlen(hdev->name) + strlen(suffix) + 2,
GFP_KERNEL);
if (name) {
sprintf(name, "%s %s", hdev->name, suffix);
hi->input->name = name;
}
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_dmc.c
4 issues
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 mmiodata[DMC_V1_MAX_MMIO_COUNT];
/* FW filename */
char dfile[32];
u32 reserved1[2];
} __packed;
struct intel_dmc_header_v3 {
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 reserved[9];
/* FW filename */
char dfile[32];
/* Number of valid MMIO cycles present. */
u32 mmio_count;
/* MMIO address */
Reported by FlawFinder.
Line: 495
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
payload = (u8 *)(dmc_header) + header_len_bytes;
memcpy(dmc->dmc_payload, payload, payload_size);
return header_len_bytes + payload_size;
error_truncated:
drm_err(&i915->drm, "Truncated DMC firmware, refusing.\n");
Reported by FlawFinder.
Line: 753
Column: 7
CWE codes:
126
}
if (dev_priv->params.dmc_firmware_path) {
if (strlen(dev_priv->params.dmc_firmware_path) == 0) {
dmc->fw_path = NULL;
drm_info(&dev_priv->drm,
"Disabling DMC firmware and runtime PM\n");
return;
}
Reported by FlawFinder.
drivers/input/mouse/elantech.h
4 issues
Line: 140
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct elantech_device_info {
unsigned char capabilities[3];
unsigned char samples[3];
unsigned char debug;
unsigned char hw_version;
unsigned char pattern;
unsigned int fw_version;
Reported by FlawFinder.
Line: 141
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct elantech_device_info {
unsigned char capabilities[3];
unsigned char samples[3];
unsigned char debug;
unsigned char hw_version;
unsigned char pattern;
unsigned int fw_version;
unsigned int ic_version;
Reported by FlawFinder.
Line: 171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct elantech_data {
struct input_dev *tp_dev; /* Relative device for trackpoint */
char tp_phys[32];
unsigned char reg_07;
unsigned char reg_10;
unsigned char reg_11;
unsigned char reg_20;
unsigned char reg_21;
Reported by FlawFinder.
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int y_max;
unsigned int width;
struct finger_pos mt[ETP_MAX_FINGERS];
unsigned char parity[256];
struct elantech_device_info info;
void (*original_set_rate)(struct psmouse *psmouse, unsigned int rate);
};
int elantech_detect(struct psmouse *psmouse, bool set_properties);
Reported by FlawFinder.
drivers/infiniband/hw/cxgb4/provider.c
4 issues
Line: 251
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
dev = to_c4iw_dev(ibdev);
memset(&(gid->raw[0]), 0, sizeof(gid->raw));
memcpy(&(gid->raw[0]), dev->rdev.lldi.ports[port-1]->dev_addr, 6);
return 0;
}
static int c4iw_query_device(struct ib_device *ibdev, struct ib_device_attr *props,
struct ib_udata *uhw)
Reported by FlawFinder.
Line: 267
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
dev = to_c4iw_dev(ibdev);
memcpy(&props->sys_image_guid, dev->rdev.lldi.ports[0]->dev_addr, 6);
props->hw_ver = CHELSIO_CHIP_RELEASE(dev->rdev.lldi.adapter_type);
props->fw_ver = dev->rdev.lldi.fw_vers;
props->device_cap_flags = dev->device_cap_flags;
props->page_size_cap = T4_PAGESIZE_MASK;
props->vendor_id = (u32)dev->rdev.lldi.pdev->vendor;
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_debug("c4iw_dev %p\n", dev);
memset(&dev->ibdev.node_guid, 0, sizeof(dev->ibdev.node_guid));
memcpy(&dev->ibdev.node_guid, dev->rdev.lldi.ports[0]->dev_addr, 6);
dev->device_cap_flags = IB_DEVICE_LOCAL_DMA_LKEY | IB_DEVICE_MEM_WINDOW;
if (fastreg_support)
dev->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS;
dev->ibdev.local_dma_lkey = 0;
dev->ibdev.node_type = RDMA_NODE_RNIC;
Reported by FlawFinder.
Line: 535
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->ibdev.local_dma_lkey = 0;
dev->ibdev.node_type = RDMA_NODE_RNIC;
BUILD_BUG_ON(sizeof(C4IW_NODE_DESC) > IB_DEVICE_NODE_DESC_MAX);
memcpy(dev->ibdev.node_desc, C4IW_NODE_DESC, sizeof(C4IW_NODE_DESC));
dev->ibdev.phys_port_cnt = dev->rdev.lldi.nports;
dev->ibdev.num_comp_vectors = dev->rdev.lldi.nciq;
dev->ibdev.dev.parent = &dev->rdev.lldi.pdev->dev;
memcpy(dev->ibdev.iw_ifname, dev->rdev.lldi.ports[0]->name,
Reported by FlawFinder.
drivers/hid/hid-picolcd_fb.c
4 issues
Line: 153
CWE codes:
908
const u8 *bdata = bitmap + tile * 256 + chip * 8 + b * 32;
for (i = 0; i < 64; i++) {
tdata[i] <<= 1;
tdata[i] |= (bdata[i/8] >> (i % 8)) & 0x01;
}
}
} else if (bpp == 8) {
for (b = 7; b >= 0; b--) {
const u8 *bdata = bitmap + (tile * 256 + chip * 8 + b * 32) * 8;
Reported by Cppcheck.
Line: 161
CWE codes:
908
const u8 *bdata = bitmap + (tile * 256 + chip * 8 + b * 32) * 8;
for (i = 0; i < 64; i++) {
tdata[i] <<= 1;
tdata[i] |= (bdata[i] & 0x80) ? 0x01 : 0x00;
}
}
} else {
/* Oops, we should never get here! */
WARN_ON(1);
Reported by Cppcheck.
Line: 403
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
tmp_fb[i] = p;
}
memcpy(o_fb, tmp_fb, PICOLCDFB_SIZE);
info->fix.visual = FB_VISUAL_MONO01;
info->fix.line_length = PICOLCDFB_WIDTH / 8;
} else {
int i;
memcpy(tmp_fb, o_fb, PICOLCDFB_SIZE);
Reported by FlawFinder.
Line: 408
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info->fix.line_length = PICOLCDFB_WIDTH / 8;
} else {
int i;
memcpy(tmp_fb, o_fb, PICOLCDFB_SIZE);
for (i = 0; i < PICOLCDFB_SIZE * 8; i++)
o_fb[i] = tmp_fb[i/8] & (0x01 << (7 - i % 8)) ? 0xff : 0x00;
info->fix.visual = FB_VISUAL_DIRECTCOLOR;
info->fix.line_length = PICOLCDFB_WIDTH;
}
Reported by FlawFinder.
drivers/infiniband/core/rdma_core.c
4 issues
Line: 960
Column: 68
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
EXPORT_SYMBOL(uverbs_fd_class);
struct ib_uobject *
uverbs_get_uobject_from_file(u16 object_id, enum uverbs_obj_access access,
s64 id, struct uverbs_attr_bundle *attrs)
{
const struct uverbs_api_object *obj =
uapi_get_object(attrs->ufile->device->uapi, object_id);
Reported by FlawFinder.
Line: 966
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
const struct uverbs_api_object *obj =
uapi_get_object(attrs->ufile->device->uapi, object_id);
switch (access) {
case UVERBS_ACCESS_READ:
return rdma_lookup_get_uobject(obj, attrs->ufile, id,
UVERBS_LOOKUP_READ, attrs);
case UVERBS_ACCESS_DESTROY:
/* Actual destruction is done inside uverbs_handle_method */
Reported by FlawFinder.
Line: 986
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
void uverbs_finalize_object(struct ib_uobject *uobj,
enum uverbs_obj_access access, bool hw_obj_valid,
bool commit, struct uverbs_attr_bundle *attrs)
{
/*
* refcounts should be handled at the object level and not at the
* uobject level. Refcounts of the objects themselves are done in
Reported by FlawFinder.
Line: 995
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* handlers.
*/
switch (access) {
case UVERBS_ACCESS_READ:
rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_READ);
break;
case UVERBS_ACCESS_WRITE:
rdma_lookup_put_uobject(uobj, UVERBS_LOOKUP_WRITE);
Reported by FlawFinder.