The following issues were found
fs/ceph/addr.c
4 issues
Line: 1041
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pages = mempool_alloc(ceph_wb_pagevec_pool, GFP_NOFS);
BUG_ON(!pages);
}
memcpy(pages, data_pages + i,
locked_pages * sizeof(*pages));
memset(data_pages + i, 0,
locked_pages * sizeof(*pages));
} else {
BUG_ON(num_ops != req->r_num_ops);
Reported by FlawFinder.
Line: 1575
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > 0) {
void *kaddr = kmap_atomic(page);
memcpy(kaddr, data, len);
kunmap_atomic(kaddr);
}
if (page != locked_page) {
if (len < PAGE_SIZE)
Reported by FlawFinder.
Line: 1692
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
{
char xattr_buf[32];
int xattr_len = snprintf(xattr_buf, sizeof(xattr_buf),
"%llu", inline_version);
err = osd_req_op_xattr_init(req, 2, CEPH_OSD_OP_SETXATTR,
"inline_version",
xattr_buf, xattr_len, 0, 0);
Reported by FlawFinder.
Line: 1903
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
perm->perm = have;
perm->pool_ns_len = pool_ns_len;
if (pool_ns_len > 0)
memcpy(perm->pool_ns, pool_ns->str, pool_ns_len);
perm->pool_ns[pool_ns_len] = 0;
rb_link_node(&perm->node, parent, p);
rb_insert_color(&perm->node, &mdsc->pool_perm_tree);
err = 0;
Reported by FlawFinder.
include/linux/phy.h
4 issues
Line: 320
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mii_bus {
struct module *owner;
const char *name;
char id[MII_BUS_ID_SIZE];
void *priv;
/** @read: Perform a read transfer on the bus */
int (*read)(struct mii_bus *bus, int addr, int regnum);
/** @write: Perform a write transfer on the bus */
int (*write)(struct mii_bus *bus, int addr, int regnum, u16 val);
Reported by FlawFinder.
Line: 914
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* A Structure for boards to register fixups with the PHY Lib */
struct phy_fixup {
struct list_head list;
char bus_id[MII_BUS_ID_SIZE + 3];
u32 phy_uid;
u32 phy_uid_mask;
int (*run)(struct phy_device *phydev);
};
Reported by FlawFinder.
Line: 1750
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mdio_board_info {
const char *bus_id;
char modalias[MDIO_NAME_SIZE];
int mdio_addr;
const void *platform_data;
};
#if IS_ENABLED(CONFIG_MDIO_DEVICE)
Reported by FlawFinder.
Line: 323
Column: 8
CWE codes:
120
20
char id[MII_BUS_ID_SIZE];
void *priv;
/** @read: Perform a read transfer on the bus */
int (*read)(struct mii_bus *bus, int addr, int regnum);
/** @write: Perform a write transfer on the bus */
int (*write)(struct mii_bus *bus, int addr, int regnum, u16 val);
/** @reset: Perform a reset of the bus */
int (*reset)(struct mii_bus *bus);
Reported by FlawFinder.
fs/cifs/cifsroot.c
4 issues
Line: 22
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"vers=1.0,cifsacl,mfsymlinks,rsize=1048576,wsize=65536,uid=0,gid=0," \
"hard,rootfs"
static char root_dev[2048] __initdata = "";
static char root_opts[1024] __initdata = DEFAULT_MNT_OPTS;
static __be32 __init parse_srvaddr(char *start, char *end)
{
/* TODO: ipv6 support */
Reported by FlawFinder.
Line: 23
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"hard,rootfs"
static char root_dev[2048] __initdata = "";
static char root_opts[1024] __initdata = DEFAULT_MNT_OPTS;
static __be32 __init parse_srvaddr(char *start, char *end)
{
/* TODO: ipv6 support */
char addr[sizeof("aaa.bbb.ccc.ddd")];
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __be32 __init parse_srvaddr(char *start, char *end)
{
/* TODO: ipv6 support */
char addr[sizeof("aaa.bbb.ccc.ddd")];
int i = 0;
while (start < end && i < sizeof(addr) - 1) {
if (isdigit(*start) || *start == '.')
addr[i++] = *start;
Reported by FlawFinder.
Line: 49
Column: 6
CWE codes:
126
ROOT_DEV = Root_CIFS;
if (strlen(line) > 3 && line[0] == '/' && line[1] == '/') {
s = strchr(&line[2], '/');
if (!s || s[1] == '\0')
return 1;
/* make s point to ',' or '\0' at end of line */
Reported by FlawFinder.
fs/cifs/link.c
4 issues
Line: 85
Column: 7
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
md5_str1 = (const char *)&buf[CIFS_MF_SYMLINK_MD5_OFFSET];
link_str = (const char *)&buf[CIFS_MF_SYMLINK_LINK_OFFSET];
rc = sscanf(buf, CIFS_MF_SYMLINK_LEN_FORMAT, &link_len);
if (rc != 1)
return -EINVAL;
rc = symlink_hash(link_len, link_str, md5_hash);
if (rc) {
Reported by FlawFinder.
Line: 77
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *md5_str1;
const char *link_str;
u8 md5_hash[16];
char md5_str2[34];
if (buf_len != CIFS_MF_SYMLINK_FILE_SIZE)
return -EINVAL;
md5_str1 = (const char *)&buf[CIFS_MF_SYMLINK_MD5_OFFSET];
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CIFS_MF_SYMLINK_MD5_ARGS(md5_hash));
ofs = CIFS_MF_SYMLINK_LINK_OFFSET;
memcpy(buf + ofs, link_str, link_len);
ofs += link_len;
if (ofs < CIFS_MF_SYMLINK_FILE_SIZE) {
buf[ofs] = '\n';
ofs++;
Reported by FlawFinder.
Line: 123
Column: 13
CWE codes:
126
if (buf_len != CIFS_MF_SYMLINK_FILE_SIZE)
return -EINVAL;
link_len = strlen(link_str);
if (link_len > CIFS_MF_SYMLINK_LINK_MAXLEN)
return -ENAMETOOLONG;
rc = symlink_hash(link_len, link_str, md5_hash);
Reported by FlawFinder.
fs/cifs/smb1ops.c
4 issues
Line: 358
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
target_hdr->smb_buf_length = cpu_to_be32(byte_count);
/* copy second buffer into end of first buffer */
memcpy(data_area_of_tgt, data_area_of_src, total_in_src);
if (remaining != total_in_src) {
/* more responses to go */
cifs_dbg(FYI, "waiting for more secondary responses\n");
return 1;
Reported by FlawFinder.
Line: 1107
Column: 31
CWE codes:
362
oplock = REQ_OPLOCK;
else
oplock = 0;
rc = tcon->ses->server->ops->open(xid, &oparms, &oplock, buf);
if (rc)
goto out;
/*
* BB Do not bother to decode buf since no local inode yet to put
Reported by FlawFinder.
Line: 1124
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iov[1].iov_base = buf;
iov[1].iov_len = sizeof(struct win_dev);
if (S_ISCHR(mode)) {
memcpy(pdev->type, "IntxCHR", 8);
pdev->major = cpu_to_le64(MAJOR(dev));
pdev->minor = cpu_to_le64(MINOR(dev));
rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
&bytes_written, iov, 1);
} else if (S_ISBLK(mode)) {
Reported by FlawFinder.
Line: 1130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
&bytes_written, iov, 1);
} else if (S_ISBLK(mode)) {
memcpy(pdev->type, "IntxBLK", 8);
pdev->major = cpu_to_le64(MAJOR(dev));
pdev->minor = cpu_to_le64(MINOR(dev));
rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
&bytes_written, iov, 1);
}
Reported by FlawFinder.
fs/cifs/smb2inode.c
4 issues
Line: 663
Column: 42
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static int
smb2_set_path_attr(const unsigned int xid, struct cifs_tcon *tcon,
const char *from_name, const char *to_name,
struct cifs_sb_info *cifs_sb, __u32 access, int command,
struct cifsFileInfo *cfile)
{
__le16 *smb2_to_name = NULL;
int rc;
Reported by FlawFinder.
Line: 674
Column: 55
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
rc = -ENOMEM;
goto smb2_rename_path;
}
rc = smb2_compound_op(xid, tcon, cifs_sb, from_name, access,
FILE_OPEN, 0, ACL_NO_MODE, smb2_to_name,
command, cfile);
smb2_rename_path:
kfree(smb2_to_name);
return rc;
Reported by FlawFinder.
Line: 488
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void
move_smb2_info_to_cifs(FILE_ALL_INFO *dst, struct smb2_file_all_info *src)
{
memcpy(dst, src, (size_t)(&src->CurrentByteOffset) - (size_t)src);
dst->CurrentByteOffset = src->CurrentByteOffset;
dst->Mode = src->Mode;
dst->AlignmentRequirement = src->AlignmentRequirement;
dst->IndexNumber1 = 0; /* we don't use it */
}
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
/* TODO: will need to allow for the 2 SIDs when add support for getting owner UID/GID */
memcpy(data, smb2_data, sizeof(struct smb311_posix_qinfo));
out:
kfree(smb2_data);
return rc;
}
Reported by FlawFinder.
fs/cifs/transport.c
4 issues
Line: 1235
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
goto out;
}
buf = (char *)midQ[i]->resp_buf;
resp_iov[i].iov_base = buf;
resp_iov[i].iov_len = midQ[i]->resp_buf_size +
server->vals->header_preamble_size;
if (midQ[i]->large_buf)
Reported by FlawFinder.
Line: 1313
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_iov = s_iov;
/* 1st iov is a RFC1001 length followed by the rest of the packet */
memcpy(new_iov + 1, iov, (sizeof(struct kvec) * n_vec));
new_iov[0].iov_base = new_iov[1].iov_base;
new_iov[0].iov_len = 4;
new_iov[1].iov_base += 4;
new_iov[1].iov_len -= 4;
Reported by FlawFinder.
Line: 1434
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
*pbytes_returned = get_rfc1002_length(midQ->resp_buf);
memcpy(out_buf, midQ->resp_buf, *pbytes_returned + 4);
rc = cifs_check_receive(midQ, server, 0);
out:
cifs_delete_mid(midQ);
add_credits(server, &credits, 0);
Reported by FlawFinder.
Line: 1610
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
*pbytes_returned = get_rfc1002_length(midQ->resp_buf);
memcpy(out_buf, midQ->resp_buf, *pbytes_returned + 4);
rc = cifs_check_receive(midQ, server, 0);
out:
cifs_delete_mid(midQ);
if (rstart && rc == -EACCES)
return -ERESTARTSYS;
Reported by FlawFinder.
fs/configfs/file.c
4 issues
Line: 270
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy old contents */
if (buffer->bin_buffer) {
memcpy(tbuf, buffer->bin_buffer,
buffer->bin_buffer_size);
vfree(buffer->bin_buffer);
}
/* clear the new area */
Reported by FlawFinder.
Line: 127
Column: 28
CWE codes:
120
20
/* perform first read with buf == NULL to get extent */
down_read(&frag->frag_sem);
if (!frag->frag_dead)
len = buffer->bin_attr->read(buffer->item, NULL, 0);
else
len = -ENOENT;
up_read(&frag->frag_sem);
if (len <= 0) {
retval = len;
Reported by FlawFinder.
Line: 152
Column: 28
CWE codes:
120
20
/* perform second read to fill buffer */
down_read(&frag->frag_sem);
if (!frag->frag_dead)
len = buffer->bin_attr->read(buffer->item,
buffer->bin_buffer, len);
else
len = -ENOENT;
up_read(&frag->frag_sem);
if (len < 0) {
Reported by FlawFinder.
Line: 358
Column: 61
CWE codes:
120
20
goto out_put_module;
if ((type & CONFIGFS_ITEM_ATTR) && !attr->show)
goto out_put_module;
if ((type & CONFIGFS_ITEM_BIN_ATTR) && !buffer->bin_attr->read)
goto out_put_module;
}
mutex_init(&buffer->mutex);
buffer->needs_read_fill = 1;
Reported by FlawFinder.
fs/configfs/symlink.c
4 issues
Line: 51
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* back up enough to print this bus id with '/' */
length -= cur;
memcpy(buffer + length, config_item_name(p), cur);
*(buffer + --length) = '/';
}
}
static int configfs_get_target_path(struct config_item *item,
Reported by FlawFinder.
Line: 70
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pr_debug("%s: depth = %d, size = %d\n", __func__, depth, size);
for (s = path; depth--; s += 3)
strcpy(s,"../");
fill_item_path(target, path, size);
pr_debug("%s: path = '%s'\n", __func__, path);
return 0;
}
Reported by FlawFinder.
Line: 35
Column: 13
CWE codes:
126
struct config_item * p = item;
int length = 1;
do {
length += strlen(config_item_name(p)) + 1;
p = p->ci_parent;
} while (p && !configfs_is_root(p));
return length;
}
Reported by FlawFinder.
Line: 47
Column: 13
CWE codes:
126
--length;
for (p = item; p && !configfs_is_root(p); p = p->ci_parent) {
int cur = strlen(config_item_name(p));
/* back up enough to print this bus id with '/' */
length -= cur;
memcpy(buffer + length, config_item_name(p), cur);
*(buffer + --length) = '/';
Reported by FlawFinder.
fs/crypto/keysetup.c
4 issues
Line: 192
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUILD_BUG_ON(sizeof(hkdf_info) != 17);
hkdf_info[hkdf_infolen++] = mode_num;
if (include_fs_uuid) {
memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
sizeof(sb->s_uuid));
hkdf_infolen += sizeof(sb->s_uuid);
}
err = fscrypt_hkdf_expand(&mk->mk_secret.hkdf,
hkdf_context, hkdf_info, hkdf_infolen,
Reported by FlawFinder.
Line: 386
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (ci->ci_policy.version) {
case FSCRYPT_POLICY_V1:
mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
memcpy(mk_spec.u.descriptor,
ci->ci_policy.v1.master_key_descriptor,
FSCRYPT_KEY_DESCRIPTOR_SIZE);
break;
case FSCRYPT_POLICY_V2:
mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
Reported by FlawFinder.
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case FSCRYPT_POLICY_V2:
mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
memcpy(mk_spec.u.identifier,
ci->ci_policy.v2.master_key_identifier,
FSCRYPT_KEY_IDENTIFIER_SIZE);
break;
default:
WARN_ON(1);
Reported by FlawFinder.
Line: 521
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
crypt_info->ci_inode = inode;
crypt_info->ci_policy = *policy;
memcpy(crypt_info->ci_nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
mode = select_encryption_mode(&crypt_info->ci_policy, inode);
if (IS_ERR(mode)) {
res = PTR_ERR(mode);
goto out;
Reported by FlawFinder.