The following issues were found
drivers/infiniband/hw/mlx4/ah.c
4 issues
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ah->av.ib.sl_tclass_flowlabel |=
cpu_to_be32((grh->traffic_class << 20) |
grh->flow_label);
memcpy(ah->av.ib.dgid, grh->dgid.raw, 16);
}
ah->av.ib.dlid = cpu_to_be16(rdma_ah_get_dlid(ah_attr));
if (rdma_ah_get_static_rate(ah_attr)) {
u8 static_rate = rdma_ah_get_static_rate(ah_attr) +
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rdma_is_multicast_addr(&in6))
is_mcast = 1;
memcpy(ah->av.eth.mac, ah_attr->roce.dmac, ETH_ALEN);
eth_zero_addr(ah->av.eth.s_mac);
/*
* If sgid_attr is NULL we are being called by mlx4_ib_create_ah_slave
* and we are directly creating an AV for a slave's gid_index.
Reported by FlawFinder.
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_mcast)
ah->av.ib.dlid = cpu_to_be16(0xc000);
memcpy(ah->av.eth.dgid, grh->dgid.raw, 16);
ah->av.eth.sl_tclass_flowlabel |= cpu_to_be32(rdma_ah_get_sl(ah_attr)
<< 29);
return 0;
}
Reported by FlawFinder.
Line: 188
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mah->av.ib.port_pd &= cpu_to_be32(0x7FFFFFFF);
if (ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE)
memcpy(mah->av.eth.s_mac, s_mac, 6);
if (vlan_tag < 0x1000)
vlan_tag |= (rdma_ah_get_sl(ah_attr) & 7) << 13;
mah->av.eth.vlan = cpu_to_be16(vlan_tag);
Reported by FlawFinder.
drivers/input/keyboard/sunkbd.c
4 issues
Line: 28
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_DESCRIPTION(DRIVER_DESC);
MODULE_LICENSE("GPL");
static unsigned char sunkbd_keycode[128] = {
0,128,114,129,115, 59, 60, 68, 61, 87, 62, 88, 63,100, 64,112,
65, 66, 67, 56,103,119, 99, 70,105,130,131,108,106, 1, 2, 3,
4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 41, 14,110,113, 98, 55,
116,132, 83,133,102, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,
26, 27,111,127, 71, 72, 73, 74,134,135,107, 0, 29, 30, 31, 32,
Reported by FlawFinder.
Line: 60
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct sunkbd {
unsigned char keycode[ARRAY_SIZE(sunkbd_keycode)];
struct input_dev *dev;
struct serio *serio;
struct work_struct tq;
wait_queue_head_t wait;
char name[64];
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct serio *serio;
struct work_struct tq;
wait_queue_head_t wait;
char name[64];
char phys[32];
char type;
bool enabled;
volatile s8 reset;
volatile s8 layout;
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct work_struct tq;
wait_queue_head_t wait;
char name[64];
char phys[32];
char type;
bool enabled;
volatile s8 reset;
volatile s8 layout;
};
Reported by FlawFinder.
drivers/infiniband/hw/qib/qib_verbs.c
4 issues
Line: 186
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (length) {
u32 len = rvt_get_sge_length(sge, length);
memcpy(data, sge->vaddr, len);
sge->vaddr += len;
sge->length -= len;
sge->sge_length -= len;
if (sge->sge_length == 0) {
if (--ss->num_sge)
Reported by FlawFinder.
Line: 826
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phdr = &dev->pio_hdrs[tx->hdr_inx];
phdr->pbc[0] = cpu_to_le32(plen);
phdr->pbc[1] = cpu_to_le32(control);
memcpy(&phdr->hdr, hdr, hdrwords << 2);
tx->txreq.flags |= QIB_SDMA_TXREQ_F_FREEDESC;
tx->txreq.sg_count = ndesc;
tx->txreq.addr = dev->pio_hdrs_phys +
tx->hdr_inx * sizeof(struct qib_pio_header);
tx->hdr_dwords = hdrwords + 2; /* add PBC length */
Reported by FlawFinder.
Line: 843
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_tx;
phdr->pbc[0] = cpu_to_le32(plen);
phdr->pbc[1] = cpu_to_le32(control);
memcpy(&phdr->hdr, hdr, hdrwords << 2);
qib_copy_from_sge((u32 *) &phdr->hdr + hdrwords, ss, len);
tx->txreq.addr = dma_map_single(&dd->pcidev->dev, phdr,
tx->hdr_dwords << 2, DMA_TO_DEVICE);
if (dma_mapping_error(&dd->pcidev->dev, tx->txreq.addr))
Reported by FlawFinder.
Line: 1251
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (device_modify_mask & IB_DEVICE_MODIFY_NODE_DESC) {
memcpy(device->node_desc, device_modify->node_desc,
IB_DEVICE_NODE_DESC_MAX);
for (i = 0; i < dd->num_pports; i++) {
struct qib_ibport *ibp = &dd->pport[i].ibport_data;
qib_node_desc_chg(ibp);
Reported by FlawFinder.
drivers/gpu/drm/omapdrm/dss/dispc.c
4 issues
Line: 3505
Column: 13
CWE codes:
126
#define DISPC_REG(i, name) name(i)
#define DUMPREG(dispc, i, r) seq_printf(s, "%s(%s)%*s %08x\n", #r, p_names[i], \
(int)(48 - strlen(#r) - strlen(p_names[i])), " ", \
dispc_read_reg(dispc, DISPC_REG(i, r)))
p_names = mgr_names;
/* DISPC channel specific registers */
Reported by FlawFinder.
Line: 3505
Column: 26
CWE codes:
126
#define DISPC_REG(i, name) name(i)
#define DUMPREG(dispc, i, r) seq_printf(s, "%s(%s)%*s %08x\n", #r, p_names[i], \
(int)(48 - strlen(#r) - strlen(p_names[i])), " ", \
dispc_read_reg(dispc, DISPC_REG(i, r)))
p_names = mgr_names;
/* DISPC channel specific registers */
Reported by FlawFinder.
Line: 3609
Column: 13
CWE codes:
126
#define DISPC_REG(plane, name, i) name(plane, i)
#define DUMPREG(dispc, plane, name, i) \
seq_printf(s, "%s_%d(%s)%*s %08x\n", #name, i, p_names[plane], \
(int)(46 - strlen(#name) - strlen(p_names[plane])), " ", \
dispc_read_reg(dispc, DISPC_REG(plane, name, i)))
/* Video pipeline coefficient registers */
/* start from OMAP_DSS_VIDEO1 */
Reported by FlawFinder.
Line: 3609
Column: 29
CWE codes:
126
#define DISPC_REG(plane, name, i) name(plane, i)
#define DUMPREG(dispc, plane, name, i) \
seq_printf(s, "%s_%d(%s)%*s %08x\n", #name, i, p_names[plane], \
(int)(46 - strlen(#name) - strlen(p_names[plane])), " ", \
dispc_read_reg(dispc, DISPC_REG(plane, name, i)))
/* Video pipeline coefficient registers */
/* start from OMAP_DSS_VIDEO1 */
Reported by FlawFinder.
drivers/infiniband/hw/bnxt_re/roce_hsi.h
4 issues
Line: 1260
Column: 5
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#define CMDQ_MODIFY_QP_NETWORK_TYPE_ROCEV1 (0x0UL << 6)
#define CMDQ_MODIFY_QP_NETWORK_TYPE_ROCEV2_IPV4 (0x2UL << 6)
#define CMDQ_MODIFY_QP_NETWORK_TYPE_ROCEV2_IPV6 (0x3UL << 6)
u8 access;
#define CMDQ_MODIFY_QP_ACCESS_LOCAL_WRITE 0x1UL
#define CMDQ_MODIFY_QP_ACCESS_REMOTE_WRITE 0x2UL
#define CMDQ_MODIFY_QP_ACCESS_REMOTE_READ 0x4UL
#define CMDQ_MODIFY_QP_ACCESS_REMOTE_ATOMIC 0x8UL
__le16 pkey;
Reported by FlawFinder.
Line: 1490
Column: 5
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#define CMDQ_ALLOCATE_MRW_MRW_FLAGS_MW_TYPE1 0x2UL
#define CMDQ_ALLOCATE_MRW_MRW_FLAGS_MW_TYPE2A 0x3UL
#define CMDQ_ALLOCATE_MRW_MRW_FLAGS_MW_TYPE2B 0x4UL
u8 access;
#define CMDQ_ALLOCATE_MRW_ACCESS_RESERVED_MASK 0x1fUL
#define CMDQ_ALLOCATE_MRW_ACCESS_RESERVED_SFT 0
#define CMDQ_ALLOCATE_MRW_ACCESS_CONSUMER_OWNED_KEY 0x20UL
__le16 unused_1;
__le32 pd_id;
Reported by FlawFinder.
Line: 1550
Column: 5
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#define CMDQ_REGISTER_MR_LOG2_PG_SIZE_LAST \
CMDQ_REGISTER_MR_LOG2_PG_SIZE_PG_1G
#define CMDQ_REGISTER_MR_UNUSED1 0x80UL
u8 access;
#define CMDQ_REGISTER_MR_ACCESS_LOCAL_WRITE 0x1UL
#define CMDQ_REGISTER_MR_ACCESS_REMOTE_READ 0x2UL
#define CMDQ_REGISTER_MR_ACCESS_REMOTE_WRITE 0x4UL
#define CMDQ_REGISTER_MR_ACCESS_REMOTE_ATOMIC 0x8UL
#define CMDQ_REGISTER_MR_ACCESS_MW_BIND 0x10UL
Reported by FlawFinder.
Line: 2280
Column: 5
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#define CREQ_QUERY_QP_RESP_SB_STATE_SQE 0x5UL
#define CREQ_QUERY_QP_RESP_SB_STATE_ERR 0x6UL
#define CREQ_QUERY_QP_RESP_SB_EN_SQD_ASYNC_NOTIFY 0x10UL
u8 access;
#define CREQ_QUERY_QP_RESP_SB_ACCESS_LOCAL_WRITE 0x1UL
#define CREQ_QUERY_QP_RESP_SB_ACCESS_REMOTE_WRITE 0x2UL
#define CREQ_QUERY_QP_RESP_SB_ACCESS_REMOTE_READ 0x4UL
#define CREQ_QUERY_QP_RESP_SB_ACCESS_REMOTE_ATOMIC 0x8UL
__le16 pkey;
Reported by FlawFinder.
drivers/hid/hid-u2fzero.c
4 issues
Line: 78
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&dev->lock);
memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));
ret = hid_hw_output_report(dev->hdev, dev->buf_out,
sizeof(struct u2f_hid_msg));
mutex_unlock(&dev->lock);
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&dev->lock);
memcpy(dev->buf_out, req, sizeof(struct u2f_hid_report));
dev->urb->context = &ctx;
init_completion(&ctx.done);
ret = usb_submit_urb(dev->urb, GFP_NOIO);
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hid_err(hdev, "urb submission timed out");
} else {
ret = dev->urb->actual_length;
memcpy(resp, dev->buf_in, ret);
}
err:
mutex_unlock(&dev->lock);
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
actual_length = min3((size_t)ret - offsetof(struct u2f_hid_msg,
init.data), U2F_HID_MSG_LEN(resp), max);
memcpy(data, resp.init.data, actual_length);
return actual_length;
}
static int u2fzero_init_led(struct u2fzero_device *dev,
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c
4 issues
Line: 742
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void swizzle_page(struct page *page)
{
char temp[64];
char *vaddr;
int i;
vaddr = kmap(page);
Reported by FlawFinder.
Line: 749
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vaddr = kmap(page);
for (i = 0; i < PAGE_SIZE; i += 128) {
memcpy(temp, &vaddr[i], 64);
memcpy(&vaddr[i], &vaddr[i + 64], 64);
memcpy(&vaddr[i + 64], temp, 64);
}
kunmap(page);
Reported by FlawFinder.
Line: 750
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < PAGE_SIZE; i += 128) {
memcpy(temp, &vaddr[i], 64);
memcpy(&vaddr[i], &vaddr[i + 64], 64);
memcpy(&vaddr[i + 64], temp, 64);
}
kunmap(page);
}
Reported by FlawFinder.
Line: 751
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < PAGE_SIZE; i += 128) {
memcpy(temp, &vaddr[i], 64);
memcpy(&vaddr[i], &vaddr[i + 64], 64);
memcpy(&vaddr[i + 64], temp, 64);
}
kunmap(page);
}
Reported by FlawFinder.
drivers/gpu/drm/rcar-du/rcar_du_of.c
4 issues
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* normal safety checks.
*/
soc_name = strchr(match->compatible, '-') + 1;
sprintf(compatible, "renesas,%s-lvds", soc_name);
lvds_node = of_find_compatible_node(NULL, NULL, compatible);
if (lvds_node) {
of_node_put(lvds_node);
return;
}
Reported by FlawFinder.
Line: 203
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_node *lvds_node;
struct device_node *soc_node;
struct device_node *du_node;
char compatible[22];
const char *soc_name;
unsigned int i;
int ret;
/* Get the DU node and exit if not present or disabled. */
Reported by FlawFinder.
Line: 246
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0; i < info->num_lvds; ++i) {
struct lvds_of_data *lvds = &lvds_data[i];
unsigned int port;
char name[7];
int index;
sprintf(name, "lvds.%u", i);
index = of_property_match_string(du_node, "clock-names", name);
if (index < 0)
Reported by FlawFinder.
Line: 249
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char name[7];
int index;
sprintf(name, "lvds.%u", i);
index = of_property_match_string(du_node, "clock-names", name);
if (index < 0)
continue;
ret = of_parse_phandle_with_args(du_node, "clocks",
Reported by FlawFinder.
drivers/input/touchscreen/wdt87xx_i2c.c
4 issues
Line: 270
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
rx_len = min_t(size_t, len, rx_buf[0]);
memcpy(buf, &rx_buf[2], rx_len);
mdelay(WDT_COMMAND_DELAY_MS);
return 0;
}
Reported by FlawFinder.
Line: 310
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
rx_len = min_t(size_t, buf_size, get_unaligned_le16(rx_buf));
memcpy(buf, &rx_buf[2], rx_len);
mdelay(WDT_COMMAND_DELAY_MS);
return 0;
}
Reported by FlawFinder.
Line: 343
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tx_len + buf_size > sizeof(tx_buf))
return -EINVAL;
memcpy(&tx_buf[tx_len], buf, buf_size);
tx_len += buf_size;
error = i2c_master_send(client, tx_buf, tx_len);
if (error < 0) {
dev_err(&client->dev, "set feature failed: %d\n", error);
Reported by FlawFinder.
Line: 586
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pkt_buf[CMD_TYPE_OFFSET] = VND_SET_DATA;
put_unaligned_le16(packet_size, &pkt_buf[CMD_INDEX_OFFSET]);
put_unaligned_le32(address, &pkt_buf[CMD_LENGTH_OFFSET]);
memcpy(&pkt_buf[CMD_DATA_OFFSET], data, packet_size);
error = wdt87xx_set_feature(client, pkt_buf, sizeof(pkt_buf));
if (error)
return error;
Reported by FlawFinder.
drivers/infiniband/sw/siw/siw_main.c
4 issues
Line: 327
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* but connection mangagement lib expects gid != 0
*/
size_t len = min_t(size_t, strlen(base_dev->name), 6);
char addr[6] = { };
memcpy(addr, base_dev->name, len);
addrconf_addr_eui48((unsigned char *)&base_dev->node_guid,
addr);
}
Reported by FlawFinder.
Line: 329
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t len = min_t(size_t, strlen(base_dev->name), 6);
char addr[6] = { };
memcpy(addr, base_dev->name, len);
addrconf_addr_eui48((unsigned char *)&base_dev->node_guid,
addr);
}
base_dev->uverbs_cmd_mask |= BIT_ULL(IB_USER_VERBS_CMD_POST_SEND);
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
base_dev->uverbs_cmd_mask |= BIT_ULL(IB_USER_VERBS_CMD_POST_SEND);
base_dev->node_type = RDMA_NODE_RNIC;
memcpy(base_dev->node_desc, SIW_NODE_DESC_COMMON,
sizeof(SIW_NODE_DESC_COMMON));
/*
* Current model (one-to-one device association):
* One Softiwarp device per net_device or, equivalently,
Reported by FlawFinder.
Line: 326
Column: 30
CWE codes:
126
* The loopback device does not have a HW address,
* but connection mangagement lib expects gid != 0
*/
size_t len = min_t(size_t, strlen(base_dev->name), 6);
char addr[6] = { };
memcpy(addr, base_dev->name, len);
addrconf_addr_eui48((unsigned char *)&base_dev->node_guid,
addr);
Reported by FlawFinder.