The following issues were found
fs/afs/volume.c
4 issues
Line: 95
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
INIT_HLIST_NODE(&volume->proc_link);
rwlock_init(&volume->servers_lock);
rwlock_init(&volume->cb_v_break_lock);
memcpy(volume->name, vldb->name, vldb->name_len + 1);
slist = afs_alloc_server_list(params->cell, params->key, vldb, type_mask);
if (IS_ERR(slist)) {
ret = PTR_ERR(slist);
goto error_1;
Reported by FlawFinder.
Line: 305
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct afs_server_list *new, *old, *discard;
struct afs_vldb_entry *vldb;
char idbuf[16];
int ret, idsz;
_enter("");
/* We look up an ID by passing it as a decimal string in the
Reported by FlawFinder.
Line: 313
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* We look up an ID by passing it as a decimal string in the
* operation's name parameter.
*/
idsz = sprintf(idbuf, "%llu", volume->vid);
vldb = afs_vl_lookup_vldb(volume->cell, key, idbuf, idsz);
if (IS_ERR(vldb)) {
ret = PTR_ERR(vldb);
goto error;
Reported by FlawFinder.
Line: 325
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vldb->name_len != volume->name_len ||
memcmp(vldb->name, volume->name, vldb->name_len) != 0) {
/* TODO: Use RCU'd string. */
memcpy(volume->name, vldb->name, AFS_MAXVOLNAME);
volume->name_len = vldb->name_len;
}
/* See if the volume's server list got updated. */
new = afs_alloc_server_list(volume->cell, key,
Reported by FlawFinder.
include/linux/cgroup-defs.h
4 issues
Line: 523
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int flags;
/* The path to use for release notifications. */
char release_agent_path[PATH_MAX];
/* The name for this hierarchy - may be empty */
char name[MAX_CGROUP_ROOT_NAMELEN];
};
Reported by FlawFinder.
Line: 526
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char release_agent_path[PATH_MAX];
/* The name for this hierarchy - may be empty */
char name[MAX_CGROUP_ROOT_NAMELEN];
};
/*
* struct cftype: handler definitions for cgroup control files
*
Reported by FlawFinder.
Line: 542
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* subsystem, followed by a period. Zero length string indicates
* end of cftype array.
*/
char name[MAX_CFTYPE_NAME];
unsigned long private;
/*
* The maximum length of string, excluding trailing nul, that can
* be passed to write. If < PAGE_SIZE-1, PAGE_SIZE-1 is assumed.
Reported by FlawFinder.
Line: 570
Column: 8
CWE codes:
362
struct list_head node; /* anchored at ss->cfts */
struct kernfs_ops *kf_ops;
int (*open)(struct kernfs_open_file *of);
void (*release)(struct kernfs_open_file *of);
/*
* read_u64() is a shortcut for the common case of returning a
* single integer. Use it in place of read()
Reported by FlawFinder.
drivers/video/fbdev/smscufx.c
4 issues
Line: 844
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (line = 0; line < height; line++) {
const int line_offset = dev->info->fix.line_length * (y + line);
const int byte_offset = line_offset + (x * BPP);
memcpy(&cmd[(24 + (packed_line_len * line)) / 2],
(char *)dev->info->fix.smem_start + byte_offset, width * BPP);
}
}
static int ufx_handle_damage(struct ufx_data *dev, int x, int y,
Reported by FlawFinder.
Line: 1310
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
if (info->screen_base) {
memcpy(new_fb, old_fb, old_len);
vfree(info->screen_base);
}
info->screen_base = new_fb;
info->fix.smem_len = PAGE_ALIGN(new_len);
Reported by FlawFinder.
Line: 1531
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (default_edid_size >= EDID_LENGTH) {
fb_edid_to_monspecs(default_edid, &info->monspecs);
if (info->monspecs.modedb_len > 0) {
memcpy(edid, default_edid, default_edid_size);
dev->edid = edid;
dev->edid_size = default_edid_size;
pr_err("Using default/backup EDID\n");
}
}
Reported by FlawFinder.
Line: 1588
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ufx_var_color_format(&info->var);
/* with mode size info, we can now alloc our framebuffer */
memcpy(&info->fix, &ufx_fix, sizeof(ufx_fix));
info->fix.line_length = info->var.xres *
(info->var.bits_per_pixel / 8);
result = ufx_realloc_framebuffer(dev, info);
Reported by FlawFinder.
include/linux/bpf-cgroup.h
4 issues
Line: 147
Column: 17
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
enum bpf_attach_type type);
int __cgroup_bpf_check_dev_permission(short dev_type, u32 major, u32 minor,
short access, enum bpf_attach_type type);
int __cgroup_bpf_run_filter_sysctl(struct ctl_table_header *head,
struct ctl_table *table, int write,
char **buf, size_t *pcount, loff_t *ppos,
enum bpf_attach_type type);
Reported by FlawFinder.
Line: 385
Column: 63
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
__ret; \
})
#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access) \
({ \
int __ret = 0; \
if (cgroup_bpf_enabled(BPF_CGROUP_DEVICE)) \
__ret = __cgroup_bpf_check_dev_permission(type, major, minor, \
access, \
Reported by FlawFinder.
Line: 390
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int __ret = 0; \
if (cgroup_bpf_enabled(BPF_CGROUP_DEVICE)) \
__ret = __cgroup_bpf_check_dev_permission(type, major, minor, \
access, \
BPF_CGROUP_DEVICE); \
\
__ret; \
})
Reported by FlawFinder.
Line: 527
Column: 60
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#define BPF_CGROUP_RUN_PROG_UDP4_RECVMSG_LOCK(sk, uaddr) ({ 0; })
#define BPF_CGROUP_RUN_PROG_UDP6_RECVMSG_LOCK(sk, uaddr) ({ 0; })
#define BPF_CGROUP_RUN_PROG_SOCK_OPS(sock_ops) ({ 0; })
#define BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type,major,minor,access) ({ 0; })
#define BPF_CGROUP_RUN_PROG_SYSCTL(head,table,write,buf,count,pos) ({ 0; })
#define BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen) ({ 0; })
#define BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock, level, optname, optval, \
optlen, max_optlen, retval) ({ retval; })
#define BPF_CGROUP_RUN_PROG_GETSOCKOPT_KERN(sock, level, optname, optval, \
Reported by FlawFinder.
fs/btrfs/inode.c
4 issues
Line: 5870
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-ENOMEM);
BTRFS_I(inode)->root = btrfs_grab_root(root);
memcpy(&BTRFS_I(inode)->location, key, sizeof(*key));
set_bit(BTRFS_INODE_DUMMY, &BTRFS_I(inode)->runtime_flags);
inode->i_ino = BTRFS_EMPTY_SUBVOL_DIR_OBJECTID;
/*
* We only need lookup, the rest is read-only and there's no inode
Reported by FlawFinder.
Line: 3602
Column: 6
CWE codes:
126
if (!xattr_access) {
xattr_access = btrfs_name_hash(XATTR_NAME_POSIX_ACL_ACCESS,
strlen(XATTR_NAME_POSIX_ACL_ACCESS));
xattr_default = btrfs_name_hash(XATTR_NAME_POSIX_ACL_DEFAULT,
strlen(XATTR_NAME_POSIX_ACL_DEFAULT));
}
slot++;
Reported by FlawFinder.
Line: 3604
Column: 6
CWE codes:
126
xattr_access = btrfs_name_hash(XATTR_NAME_POSIX_ACL_ACCESS,
strlen(XATTR_NAME_POSIX_ACL_ACCESS));
xattr_default = btrfs_name_hash(XATTR_NAME_POSIX_ACL_DEFAULT,
strlen(XATTR_NAME_POSIX_ACL_DEFAULT));
}
slot++;
*first_xattr_slot = -1;
while (slot < nritems) {
Reported by FlawFinder.
Line: 9931
Column: 13
CWE codes:
126
struct btrfs_file_extent_item *ei;
struct extent_buffer *leaf;
name_len = strlen(symname);
if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info))
return -ENAMETOOLONG;
/*
* 2 items for inode item and ref
Reported by FlawFinder.
include/linux/adb.h
4 issues
Line: 12
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct adb_request {
unsigned char data[32];
int nbytes;
unsigned char reply[32];
int reply_len;
unsigned char reply_expected;
unsigned char sent;
Reported by FlawFinder.
Line: 14
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct adb_request {
unsigned char data[32];
int nbytes;
unsigned char reply[32];
int reply_len;
unsigned char reply_expected;
unsigned char sent;
unsigned char complete;
void (*done)(struct adb_request *);
Reported by FlawFinder.
Line: 26
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct adb_ids {
int nids;
unsigned char id[16];
};
/* Structure which encapsulates a low-level ADB driver */
struct adb_driver {
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Structure which encapsulates a low-level ADB driver */
struct adb_driver {
char name[16];
int (*probe)(void);
int (*init)(void);
int (*send_request)(struct adb_request *req, int sync);
int (*autopoll)(int devs);
void (*poll)(void);
Reported by FlawFinder.
drivers/video/fbdev/udlfb.c
4 issues
Line: 1239
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(new_fb, 0xff, new_len);
if (info->screen_base) {
memcpy(new_fb, old_fb, old_len);
dlfb_deferred_vfree(dlfb, (void __force *)info->screen_base);
}
info->screen_base = (char __iomem *)new_fb;
info->fix.smem_len = new_len;
Reported by FlawFinder.
Line: 1342
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (default_edid_size >= EDID_LENGTH) {
fb_edid_to_monspecs(default_edid, &info->monspecs);
if (info->monspecs.modedb_len > 0) {
memcpy(edid, default_edid, default_edid_size);
dlfb->edid = edid;
dlfb->edid_size = default_edid_size;
dev_err(dev, "Using default/backup EDID\n");
}
}
Reported by FlawFinder.
Line: 1411
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* with mode size info, we can now alloc our framebuffer.
*/
memcpy(&info->fix, &dlfb_fix, sizeof(dlfb_fix));
} else
result = -EINVAL;
error:
if (edid && (dlfb->edid != edid))
Reported by FlawFinder.
Line: 1474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (off + count > dlfb->edid_size)
count = dlfb->edid_size - off;
memcpy(buf, dlfb->edid, count);
return count;
}
static ssize_t edid_store(
Reported by FlawFinder.
include/crypto/internal/blake2b.h
4 issues
Line: 34
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!inlen))
return;
if (inlen > fill) {
memcpy(state->buf + state->buflen, in, fill);
(*compress)(state, state->buf, 1, BLAKE2B_BLOCK_SIZE);
state->buflen = 0;
in += fill;
inlen -= fill;
}
Reported by FlawFinder.
Line: 47
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in += BLAKE2B_BLOCK_SIZE * (nblocks - 1);
inlen -= BLAKE2B_BLOCK_SIZE * (nblocks - 1);
}
memcpy(state->buf + state->buflen, in, inlen);
state->buflen += inlen;
}
static inline void __blake2b_final(struct blake2b_state *state, u8 *out,
blake2b_compress_t compress)
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(*compress)(state, state->buf, 1, state->buflen);
for (i = 0; i < ARRAY_SIZE(state->h); i++)
__cpu_to_le64s(&state->h[i]);
memcpy(out, state->h, state->outlen);
}
/* Helper functions for shash implementations of BLAKE2b */
struct blake2b_tfm_ctx {
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen == 0 || keylen > BLAKE2B_KEY_SIZE)
return -EINVAL;
memcpy(tctx->key, key, keylen);
tctx->keylen = keylen;
return 0;
}
Reported by FlawFinder.
fs/buffer.c
4 issues
Line: 1919
CWE codes:
476
{
loff_t offset = block << inode->i_blkbits;
bh->b_bdev = iomap->bdev;
/*
* Block points to offset in file we need to map, iomap contains
* the offset at which the map starts. If the map ends before the
* current block, then do not map the buffer and let the caller
Reported by Cppcheck.
Line: 1919
CWE codes:
476
{
loff_t offset = block << inode->i_blkbits;
bh->b_bdev = iomap->bdev;
/*
* Block points to offset in file we need to map, iomap contains
* the offset at which the map starts. If the map ends before the
* current block, then do not map the buffer and let the caller
Reported by Cppcheck.
Line: 1927
CWE codes:
476
* current block, then do not map the buffer and let the caller
* handle it.
*/
BUG_ON(offset >= iomap->offset + iomap->length);
switch (iomap->type) {
case IOMAP_HOLE:
/*
* If the buffer is not up to date or beyond the current EOF,
Reported by Cppcheck.
Line: 1929
CWE codes:
476
*/
BUG_ON(offset >= iomap->offset + iomap->length);
switch (iomap->type) {
case IOMAP_HOLE:
/*
* If the buffer is not up to date or beyond the current EOF,
* we need to mark it as new to ensure sub-block zeroing is
* executed if necessary.
Reported by Cppcheck.
include/linux/pnp.h
4 issues
Line: 212
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pnp_protocol *protocol;
struct pnp_id *id; /* contains supported EISA IDs */
char name[PNP_NAME_LEN]; /* contains a human-readable name */
unsigned char pnpver; /* Plug & Play version */
unsigned char productver; /* product version */
unsigned int serial; /* serial number */
unsigned char checksum; /* if zero - checksum passed */
struct proc_dir_entry *procdir; /* directory entry in /proc/bus/isapnp */
Reported by FlawFinder.
Line: 267
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head resources;
struct list_head options;
char name[PNP_NAME_LEN]; /* contains a human-readable name */
int flags; /* used by protocols */
struct proc_dir_entry *procent; /* device entry in /proc/bus/isapnp */
void *data;
};
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
struct pnp_fixup {
char id[7];
void (*quirk_function) (struct pnp_dev * dev); /* fixup function */
};
/* config parameters */
#define PNP_CONFIG_NORMAL 0x0001
Reported by FlawFinder.
Line: 370
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct pnp_id {
char id[PNP_ID_LEN];
struct pnp_id *next;
};
struct pnp_driver {
const char *name;
Reported by FlawFinder.