The following issues were found
drivers/gpu/drm/msm/msm_drv.c
4 issues
Line: 95
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *name)
{
int i;
char n[32];
snprintf(n, sizeof(n), "%s_clk", name);
for (i = 0; bulk && i < count; i++) {
if (!strcmp(bulk[i].id, name) || !strcmp(bulk[i].id, n))
Reported by FlawFinder.
Line: 111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk *msm_clk_get(struct platform_device *pdev, const char *name)
{
struct clk *clk;
char name2[32];
clk = devm_clk_get(&pdev->dev, name);
if (!IS_ERR(clk) || PTR_ERR(clk) == -EPROBE_DEFER)
return clk;
Reported by FlawFinder.
Line: 888
Column: 35
CWE codes:
126
}
break;
case MSM_INFO_GET_NAME:
if (args->value && (args->len < strlen(msm_obj->name))) {
ret = -EINVAL;
break;
}
args->len = strlen(msm_obj->name);
if (args->value) {
Reported by FlawFinder.
Line: 892
Column: 15
CWE codes:
126
ret = -EINVAL;
break;
}
args->len = strlen(msm_obj->name);
if (args->value) {
if (copy_to_user(u64_to_user_ptr(args->value),
msm_obj->name, args->len))
ret = -EFAULT;
}
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c
4 issues
Line: 262
Column: 10
CWE codes:
120
20
for (r = 0; r < pwr_rail->resistor_count; ++r) {
struct nvkm_iccsense_rail *rail;
struct pwr_rail_resistor_t *res = &pwr_rail->resistors[r];
int (*read)(struct nvkm_iccsense *,
struct nvkm_iccsense_rail *);
if (!res->mohm || !res->enabled)
continue;
Reported by FlawFinder.
Line: 286
Column: 17
CWE codes:
120
20
if (!rail)
return -ENOMEM;
rail->read = read;
rail->sensor = sensor;
rail->idx = r;
rail->mohm = res->mohm;
nvkm_debug(subdev, "create rail for extdev %i: { idx: %i, mohm: %i }\n", pwr_rail->extdev_id, r, rail->mohm);
list_add_tail(&rail->head, &iccsense->rails);
Reported by FlawFinder.
drivers/infiniband/sw/siw/siw_qp.c
4 issues
Line: 18
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "siw_verbs.h"
#include "siw_mem.h"
static char siw_qp_state_to_string[SIW_QP_STATE_COUNT][sizeof "TERMINATE"] = {
[SIW_QP_STATE_IDLE] = "IDLE",
[SIW_QP_STATE_RTR] = "RTR",
[SIW_QP_STATE_RTS] = "RTS",
[SIW_QP_STATE_CLOSING] = "CLOSING",
[SIW_QP_STATE_TERMINATE] = "TERMINATE",
Reported by FlawFinder.
Line: 438
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
}
memcpy(&term->ctrl, &iwarp_pktinfo[RDMAP_TERMINATE].ctrl,
sizeof(struct iwarp_ctrl));
__rdmap_term_set_layer(term, qp->term_info.layer);
__rdmap_term_set_etype(term, qp->term_info.etype);
__rdmap_term_set_ecode(term, qp->term_info.ecode);
Reported by FlawFinder.
Line: 471
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
rreq = (struct iwarp_rdma_rreq *)err_hdr;
memcpy(&rreq->ctrl,
&iwarp_pktinfo[RDMAP_RDMA_READ_REQ].ctrl,
sizeof(struct iwarp_ctrl));
rreq->rsvd = 0;
rreq->ddp_qn =
Reported by FlawFinder.
Line: 895
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wqe->wr_status = SIW_WR_QUEUED;
/* First copy SQE to kernel private memory */
memcpy(&wqe->sqe, sqe, sizeof(*sqe));
if (wqe->sqe.opcode >= SIW_NUM_OPCODES) {
rv = -EINVAL;
goto out;
}
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/user_sdma.c
4 issues
Line: 171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hfi1_filedata *fd)
{
int ret = -ENOMEM;
char buf[64];
struct hfi1_devdata *dd;
struct hfi1_user_sdma_comp_q *cq;
struct hfi1_user_sdma_pkt_q *pq;
if (!uctxt || !fd)
Reported by FlawFinder.
Line: 434
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->has_error = 0;
INIT_LIST_HEAD(&req->txps);
memcpy(&req->info, &info, sizeof(info));
/* The request is initialized, count it */
atomic_inc(&pq->n_reqs);
if (req_opcode(info.ctrl) == EXPECTED) {
Reported by FlawFinder.
Line: 985
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pages = kcalloc(npages, sizeof(*pages), GFP_KERNEL);
if (!pages)
return -ENOMEM;
memcpy(pages, node->pages, node->npages * sizeof(*pages));
npages -= node->npages;
retry:
if (!hfi1_can_pin_pages(pq->dd, current->mm,
atomic_read(&pq->n_locked), npages)) {
Reported by FlawFinder.
Line: 1174
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 tidval = 0, lrhlen = get_lrh_len(*hdr, pad_len(datalen));
/* Copy the header template to the request before modification */
memcpy(hdr, &req->hdr, sizeof(*hdr));
/*
* Check if the PBC and LRH length are mismatched. If so
* adjust both in the header.
*/
Reported by FlawFinder.
drivers/infiniband/ulp/ipoib/ipoib_fs.c
4 issues
Line: 51
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i, n;
for (n = 0, i = 0; i < 8; ++i) {
n += sprintf(buf + n, "%x",
be16_to_cpu(((__be16 *) gid->raw)[i]));
if (i < 7)
buf[n++] = ':';
}
}
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ipoib_mcg_seq_show(struct seq_file *file, void *iter_ptr)
{
struct ipoib_mcast_iter *iter = iter_ptr;
char gid_buf[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"];
union ib_gid mgid;
unsigned long created;
unsigned int queuelen, complete, send_only;
if (!iter)
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ipoib_path_seq_show(struct seq_file *file, void *iter_ptr)
{
struct ipoib_path_iter *iter = iter_ptr;
char gid_buf[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"];
struct ipoib_path path;
int rate;
if (!iter)
return 0;
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ipoib_create_debug_files(struct net_device *dev)
{
struct ipoib_dev_priv *priv = ipoib_priv(dev);
char name[IFNAMSIZ + sizeof("_path")];
snprintf(name, sizeof(name), "%s_mcg", dev->name);
priv->mcg_dentry = debugfs_create_file(name, S_IFREG | S_IRUGO,
ipoib_root, dev, &ipoib_mcg_fops);
Reported by FlawFinder.
drivers/infiniband/hw/qib/qib_eeprom.c
4 issues
Line: 250
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* This board has a Serial-prefix, which is stored
* elsewhere for backward-compatibility.
*/
memcpy(snp, ifp->if_sprefix, sizeof(ifp->if_sprefix));
snp[sizeof(ifp->if_sprefix)] = '\0';
len = strlen(snp);
snp += len;
len = sizeof(dd->serial) - len;
if (len > sizeof(ifp->if_serial))
Reported by FlawFinder.
Line: 257
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = sizeof(dd->serial) - len;
if (len > sizeof(ifp->if_serial))
len = sizeof(ifp->if_serial);
memcpy(snp, ifp->if_serial, len);
} else {
memcpy(dd->serial, ifp->if_serial, sizeof(ifp->if_serial));
}
if (!strstr(ifp->if_comment, "Tested successfully"))
qib_dev_err(dd,
Reported by FlawFinder.
Line: 259
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = sizeof(ifp->if_serial);
memcpy(snp, ifp->if_serial, len);
} else {
memcpy(dd->serial, ifp->if_serial, sizeof(ifp->if_serial));
}
if (!strstr(ifp->if_comment, "Tested successfully"))
qib_dev_err(dd,
"Board SN %s did not pass functional test: %s\n",
dd->serial, ifp->if_comment);
Reported by FlawFinder.
Line: 252
Column: 9
CWE codes:
126
*/
memcpy(snp, ifp->if_sprefix, sizeof(ifp->if_sprefix));
snp[sizeof(ifp->if_sprefix)] = '\0';
len = strlen(snp);
snp += len;
len = sizeof(dd->serial) - len;
if (len > sizeof(ifp->if_serial))
len = sizeof(ifp->if_serial);
memcpy(snp, ifp->if_serial, len);
Reported by FlawFinder.
drivers/gpu/drm/i915/selftests/i915_random.c
4 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void i915_prandom_shuffle(void *arr, size_t elsz, size_t count,
struct rnd_state *state)
{
char stack[128];
if (WARN_ON(elsz > sizeof(stack) || count > U32_MAX))
return;
if (!elsz || !count)
Reported by FlawFinder.
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (swp == count)
continue;
memcpy(stack, arr + count * elsz, elsz);
memcpy(arr + count * elsz, arr + swp * elsz, elsz);
memcpy(arr + swp * elsz, stack, elsz);
}
}
Reported by FlawFinder.
Line: 65
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
memcpy(stack, arr + count * elsz, elsz);
memcpy(arr + count * elsz, arr + swp * elsz, elsz);
memcpy(arr + swp * elsz, stack, elsz);
}
}
void i915_random_reorder(unsigned int *order, unsigned int count,
Reported by FlawFinder.
Line: 66
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(stack, arr + count * elsz, elsz);
memcpy(arr + count * elsz, arr + swp * elsz, elsz);
memcpy(arr + swp * elsz, stack, elsz);
}
}
void i915_random_reorder(unsigned int *order, unsigned int count,
struct rnd_state *state)
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
4 issues
Line: 49
CWE codes:
476
if (desc->type > PGT) {
if (desc->type == SPT) {
const struct nvkm_vmm_desc *pair = page[-1].desc;
lpte = pten >> (desc->bits - pair->bits);
} else {
lpte = pten;
}
}
Reported by Cppcheck.
Line: 103
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int lvl;
for (lvl = it->max; lvl >= 0; lvl--) {
if (lvl >= it->lvl)
buf += sprintf(buf, "%05x:", it->pte[lvl]);
else
buf += sprintf(buf, "xxxxx:");
}
}
Reported by FlawFinder.
Line: 105
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (lvl >= it->lvl)
buf += sprintf(buf, "%05x:", it->pte[lvl]);
else
buf += sprintf(buf, "xxxxx:");
}
}
#define TRA(i,f,a...) do { \
char _buf[NVKM_VMM_LEVELS_MAX * 7]; \
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
#define TRA(i,f,a...) do { \
char _buf[NVKM_VMM_LEVELS_MAX * 7]; \
struct nvkm_vmm_iter *_it = (i); \
nvkm_vmm_trace(_it, _buf); \
VMM_TRACE(_it->vmm, "%s "f, _buf, ##a); \
} while(0)
#else
Reported by FlawFinder.
drivers/iio/imu/inv_mpu6050/inv_mpu_magn.c
4 issues
Line: 290
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (str == NULL)
return -ENOMEM;
if (strcmp(orient, "0") == 0) {
strcpy(str, orient);
} else if (orient[0] == '-') {
strcpy(str, &orient[1]);
} else {
str[0] = '-';
strcpy(&str[1], orient);
Reported by FlawFinder.
Line: 292
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strcmp(orient, "0") == 0) {
strcpy(str, orient);
} else if (orient[0] == '-') {
strcpy(str, &orient[1]);
} else {
str[0] = '-';
strcpy(&str[1], orient);
}
st->magn_orient.rotation[6 + i] = str;
Reported by FlawFinder.
Line: 295
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(str, &orient[1]);
} else {
str[0] = '-';
strcpy(&str[1], orient);
}
st->magn_orient.rotation[6 + i] = str;
}
break;
default:
Reported by FlawFinder.
Line: 286
Column: 9
CWE codes:
126
orient = st->orientation.rotation[6 + i];
/* use length + 2 for adding minus sign if needed */
str = devm_kzalloc(regmap_get_device(st->map),
strlen(orient) + 2, GFP_KERNEL);
if (str == NULL)
return -ENOMEM;
if (strcmp(orient, "0") == 0) {
strcpy(str, orient);
} else if (orient[0] == '-') {
Reported by FlawFinder.
include/crypto/internal/blake2s.h
4 issues
Line: 41
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!inlen))
return;
if (inlen > fill) {
memcpy(state->buf + state->buflen, in, fill);
(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
state->buflen = 0;
in += fill;
inlen -= fill;
}
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
}
memcpy(state->buf + state->buflen, in, inlen);
state->buflen += inlen;
}
static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
blake2s_compress_t compress)
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
(*compress)(state, state->buf, 1, state->buflen);
cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
memcpy(out, state->h, state->outlen);
}
/* Helper functions for shash implementations of BLAKE2s */
struct blake2s_tfm_ctx {
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen == 0 || keylen > BLAKE2S_KEY_SIZE)
return -EINVAL;
memcpy(tctx->key, key, keylen);
tctx->keylen = keylen;
return 0;
}
Reported by FlawFinder.