The following issues were found
fs/vboxsf/dir.c
4 issues
Line: 147
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fake_ino = ctx->pos + 1;
if (sbi->nls) {
char d_name[NAME_MAX];
err = vboxsf_nlscpy(sbi, d_name, NAME_MAX,
info->name.string.utf8,
info->name.length);
if (err) {
Reported by FlawFinder.
Line: 455
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ssymname->length = symname_size - 1;
ssymname->size = symname_size;
memcpy(ssymname->string.utf8, symname, symname_size);
err = vboxsf_symlink(sbi->root, path, ssymname, &info);
kfree(ssymname);
__putname(path);
if (err) {
Reported by FlawFinder.
Line: 158
Column: 33
CWE codes:
126
goto try_next_entry;
}
return dir_emit(ctx, d_name, strlen(d_name),
fake_ino, d_type);
}
return dir_emit(ctx, info->name.string.utf8, info->name.length,
fake_ino, d_type);
Reported by FlawFinder.
Line: 439
Column: 21
CWE codes:
126
{
struct vboxsf_inode *sf_parent_i = VBOXSF_I(parent);
struct vboxsf_sbi *sbi = VBOXSF_SBI(parent->i_sb);
int symname_size = strlen(symname) + 1;
struct shfl_string *path, *ssymname;
struct shfl_fsobjinfo info;
int err;
path = vboxsf_path_from_dentry(sbi, dentry);
Reported by FlawFinder.
fs/ufs/inode.c
4 issues
Line: 596
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (S_ISCHR(mode) || S_ISBLK(mode) || inode->i_blocks) {
memcpy(ufsi->i_u1.i_data, &ufs_inode->ui_u2.ui_addr,
sizeof(ufs_inode->ui_u2.ui_addr));
} else {
memcpy(ufsi->i_u1.i_symlink, ufs_inode->ui_u2.ui_symlink,
sizeof(ufs_inode->ui_u2.ui_symlink) - 1);
ufsi->i_u1.i_symlink[sizeof(ufs_inode->ui_u2.ui_symlink) - 1] = 0;
Reported by FlawFinder.
Line: 599
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ufsi->i_u1.i_data, &ufs_inode->ui_u2.ui_addr,
sizeof(ufs_inode->ui_u2.ui_addr));
} else {
memcpy(ufsi->i_u1.i_symlink, ufs_inode->ui_u2.ui_symlink,
sizeof(ufs_inode->ui_u2.ui_symlink) - 1);
ufsi->i_u1.i_symlink[sizeof(ufs_inode->ui_u2.ui_symlink) - 1] = 0;
}
return 0;
}
Reported by FlawFinder.
Line: 643
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (S_ISCHR(mode) || S_ISBLK(mode) || inode->i_blocks) {
memcpy(ufsi->i_u1.u2_i_data, &ufs2_inode->ui_u2.ui_addr,
sizeof(ufs2_inode->ui_u2.ui_addr));
} else {
memcpy(ufsi->i_u1.i_symlink, ufs2_inode->ui_u2.ui_symlink,
sizeof(ufs2_inode->ui_u2.ui_symlink) - 1);
ufsi->i_u1.i_symlink[sizeof(ufs2_inode->ui_u2.ui_symlink) - 1] = 0;
Reported by FlawFinder.
Line: 646
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ufsi->i_u1.u2_i_data, &ufs2_inode->ui_u2.ui_addr,
sizeof(ufs2_inode->ui_u2.ui_addr));
} else {
memcpy(ufsi->i_u1.i_symlink, ufs2_inode->ui_u2.ui_symlink,
sizeof(ufs2_inode->ui_u2.ui_symlink) - 1);
ufsi->i_u1.i_symlink[sizeof(ufs2_inode->ui_u2.ui_symlink) - 1] = 0;
}
return 0;
}
Reported by FlawFinder.
fs/ext4/resize.c
4 issues
Line: 577
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
brelse(gdb);
goto out;
}
memcpy(gdb->b_data, sbi_array_rcu_deref(sbi,
s_group_desc, j)->b_data, gdb->b_size);
set_buffer_uptodate(gdb);
err = ext4_handle_dirty_metadata(handle, NULL, gdb);
if (unlikely(err)) {
Reported by FlawFinder.
Line: 899
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_lock();
o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
memcpy(n_group_desc, o_group_desc,
EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
rcu_read_unlock();
n_group_desc[gdb_num] = gdb_bh;
rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc);
EXT4_SB(sb)->s_gdb_count++;
Reported by FlawFinder.
Line: 953
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_lock();
o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
memcpy(n_group_desc, o_group_desc,
EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
rcu_read_unlock();
n_group_desc[gdb_num] = gdb_bh;
BUFFER_TRACE(gdb_bh, "get_write_access");
Reported by FlawFinder.
Line: 1157
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
lock_buffer(bh);
memcpy(bh->b_data, data, size);
if (rest)
memset(bh->b_data + size, 0, rest);
set_buffer_uptodate(bh);
unlock_buffer(bh);
err = ext4_handle_dirty_metadata(handle, NULL, bh);
Reported by FlawFinder.
fs/f2fs/compress.c
4 issues
Line: 1723
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!f2fs_is_valid_blkaddr(sbi, blkaddr, DATA_GENERIC_ENHANCE_READ))
goto out;
memcpy(page_address(cpage), page_address(page), PAGE_SIZE);
SetPageUptodate(cpage);
out:
f2fs_put_page(cpage, 1);
}
Reported by FlawFinder.
Line: 1743
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cpage) {
if (PageUptodate(cpage)) {
atomic_inc(&sbi->compress_page_hit);
memcpy(page_address(page),
page_address(cpage), PAGE_SIZE);
hitted = true;
}
f2fs_put_page(cpage, 1);
}
Reported by FlawFinder.
Line: 1830
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int f2fs_init_page_array_cache(struct f2fs_sb_info *sbi)
{
dev_t dev = sbi->sb->s_bdev->bd_dev;
char slab_name[32];
sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev), MINOR(dev));
sbi->page_array_slab_size = sizeof(struct page *) <<
F2FS_OPTION(sbi).compress_log_size;
Reported by FlawFinder.
Line: 1832
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_t dev = sbi->sb->s_bdev->bd_dev;
char slab_name[32];
sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev), MINOR(dev));
sbi->page_array_slab_size = sizeof(struct page *) <<
F2FS_OPTION(sbi).compress_log_size;
sbi->page_array_slab = f2fs_kmem_cache_create(slab_name,
Reported by FlawFinder.
fs/f2fs/dir.c
4 issues
Line: 45
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 4;
}
static unsigned char f2fs_filetype_table[F2FS_FT_MAX] = {
[F2FS_FT_UNKNOWN] = DT_UNKNOWN,
[F2FS_FT_REG_FILE] = DT_REG,
[F2FS_FT_DIR] = DT_DIR,
[F2FS_FT_CHRDEV] = DT_CHR,
[F2FS_FT_BLKDEV] = DT_BLK,
Reported by FlawFinder.
Line: 56
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[F2FS_FT_SYMLINK] = DT_LNK,
};
static unsigned char f2fs_type_by_mode[S_IFMT >> S_SHIFT] = {
[S_IFREG >> S_SHIFT] = F2FS_FT_REG_FILE,
[S_IFDIR >> S_SHIFT] = F2FS_FT_DIR,
[S_IFCHR >> S_SHIFT] = F2FS_FT_CHRDEV,
[S_IFBLK >> S_SHIFT] = F2FS_FT_BLKDEV,
[S_IFIFO >> S_SHIFT] = F2FS_FT_FIFO,
Reported by FlawFinder.
Line: 505
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy name info. to this inode page */
ri = F2FS_INODE(ipage);
ri->i_namelen = cpu_to_le32(fname->disk_name.len);
memcpy(ri->i_name, fname->disk_name.name, fname->disk_name.len);
if (IS_ENCRYPTED(dir)) {
file_set_enc_name(inode);
/*
* Roll-forward recovery doesn't have encryption keys available,
* so it can't compute the dirhash for encrypted+casefolded
Reported by FlawFinder.
Line: 695
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
de = &d->dentry[bit_pos];
de->hash_code = name_hash;
de->name_len = cpu_to_le16(name->len);
memcpy(d->filename[bit_pos], name->name, name->len);
de->ino = cpu_to_le32(ino);
set_de_type(de, mode);
for (i = 0; i < slots; i++) {
__set_bit_le(bit_pos + i, (void *)d->bitmap);
/* avoid wrong garbage data for readdir */
Reported by FlawFinder.
include/linux/mlx4/device.h
4 issues
Line: 693
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u64 size;
u32 key;
u32 pd;
u32 access;
int enabled;
};
enum mlx4_mw_type {
MLX4_MW_TYPE_1 = 1,
Reported by FlawFinder.
Line: 1105
Column: 73
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void mlx4_mtt_cleanup(struct mlx4_dev *dev, struct mlx4_mtt *mtt);
u64 mlx4_mtt_addr(struct mlx4_dev *dev, struct mlx4_mtt *mtt);
int mlx4_mr_alloc(struct mlx4_dev *dev, u32 pd, u64 iova, u64 size, u32 access,
int npages, int page_shift, struct mlx4_mr *mr);
int mlx4_mr_free(struct mlx4_dev *dev, struct mlx4_mr *mr);
int mlx4_mr_enable(struct mlx4_dev *dev, struct mlx4_mr *mr);
int mlx4_mw_alloc(struct mlx4_dev *dev, u32 pd, enum mlx4_mw_type type,
struct mlx4_mw *mw);
Reported by FlawFinder.
Line: 1515
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u32 pdn);
int mlx4_mr_hw_change_access(struct mlx4_dev *dev,
struct mlx4_mpt_entry *mpt_entry,
u32 access);
void mlx4_mr_hw_put_mpt(struct mlx4_dev *dev,
struct mlx4_mpt_entry **mpt_entry);
void mlx4_mr_rereg_mem_cleanup(struct mlx4_dev *dev, struct mlx4_mr *mr);
int mlx4_mr_rereg_mem_write(struct mlx4_dev *dev, struct mlx4_mr *mr,
u64 iova, u64 size, int npages,
Reported by FlawFinder.
Line: 883
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct radix_tree_root qp_table_tree;
u8 rev_id;
u8 port_random_macs;
char board_id[MLX4_BOARD_ID_LEN];
int numa_node;
int oper_log_mgm_entry_size;
u64 regid_promisc_array[MLX4_MAX_PORTS + 1];
u64 regid_allmulti_array[MLX4_MAX_PORTS + 1];
struct mlx4_vf_dev *dev_vfs;
Reported by FlawFinder.
fs/file.c
4 issues
Line: 61
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpy = count / BITS_PER_BYTE;
set = (nfdt->max_fds - count) / BITS_PER_BYTE;
memcpy(nfdt->open_fds, ofdt->open_fds, cpy);
memset((char *)nfdt->open_fds + cpy, 0, set);
memcpy(nfdt->close_on_exec, ofdt->close_on_exec, cpy);
memset((char *)nfdt->close_on_exec + cpy, 0, set);
cpy = BITBIT_SIZE(count);
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set = (nfdt->max_fds - count) / BITS_PER_BYTE;
memcpy(nfdt->open_fds, ofdt->open_fds, cpy);
memset((char *)nfdt->open_fds + cpy, 0, set);
memcpy(nfdt->close_on_exec, ofdt->close_on_exec, cpy);
memset((char *)nfdt->close_on_exec + cpy, 0, set);
cpy = BITBIT_SIZE(count);
set = BITBIT_SIZE(nfdt->max_fds) - cpy;
memcpy(nfdt->full_fds_bits, ofdt->full_fds_bits, cpy);
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpy = BITBIT_SIZE(count);
set = BITBIT_SIZE(nfdt->max_fds) - cpy;
memcpy(nfdt->full_fds_bits, ofdt->full_fds_bits, cpy);
memset((char *)nfdt->full_fds_bits + cpy, 0, set);
}
/*
* Copy all file descriptors from the old table to the new, expanded table and
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpy = ofdt->max_fds * sizeof(struct file *);
set = (nfdt->max_fds - ofdt->max_fds) * sizeof(struct file *);
memcpy(nfdt->fd, ofdt->fd, cpy);
memset((char *)nfdt->fd + cpy, 0, set);
copy_fd_bitmaps(nfdt, ofdt, ofdt->max_fds);
}
Reported by FlawFinder.
fs/filesystems.c
4 issues
Line: 220
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
read_lock(&file_systems_lock);
tmp = file_systems;
while (tmp && len < PAGE_SIZE - 80) {
len += sprintf(buf+len, "%s\t%s\n",
(tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev",
tmp->name);
tmp = tmp->next;
}
read_unlock(&file_systems_lock);
Reported by FlawFinder.
Line: 85
Column: 32
CWE codes:
126
if (fs->next)
return -EBUSY;
write_lock(&file_systems_lock);
p = find_filesystem(fs->name, strlen(fs->name));
if (*p)
res = -EBUSY;
else
*p = fs;
write_unlock(&file_systems_lock);
Reported by FlawFinder.
Line: 170
Column: 8
CWE codes:
126
return -EINVAL;
/* OK, we got the reference, so we can safely block */
len = strlen(tmp->name) + 1;
res = copy_to_user(buf, tmp->name, len) ? -EFAULT : 0;
put_filesystem(tmp);
return res;
}
Reported by FlawFinder.
Line: 270
Column: 31
CWE codes:
126
{
struct file_system_type *fs;
const char *dot = strchr(name, '.');
int len = dot ? dot - name : strlen(name);
fs = __get_fs_type(name, len);
if (!fs && (request_module("fs-%.*s", len, name) == 0)) {
fs = __get_fs_type(name, len);
if (!fs)
Reported by FlawFinder.
drivers/visorbus/visorchannel.c
4 issues
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *visorchannel_guid_id(const guid_t *guid, char *s)
{
sprintf(s, "%pUL", guid);
return s;
}
char *visorchannel_id(struct visorchannel *channel, char *s)
{
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset + nbytes > channel->nbytes)
return -EIO;
memcpy(dest, channel->mapped + offset, nbytes);
return 0;
}
int visorchannel_write(struct visorchannel *channel, ulong offset, void *dest,
ulong nbytes)
Reported by FlawFinder.
Line: 132
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset < chdr_size) {
copy_size = min(chdr_size - offset, nbytes);
memcpy(((char *)(&channel->chan_hdr)) + offset,
dest, copy_size);
}
memcpy(channel->mapped + offset, dest, nbytes);
return 0;
}
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(((char *)(&channel->chan_hdr)) + offset,
dest, copy_size);
}
memcpy(channel->mapped + offset, dest, nbytes);
return 0;
}
void *visorchannel_get_header(struct visorchannel *channel)
{
Reported by FlawFinder.
drivers/video/fbdev/riva/fbdev.c
4 issues
Line: 325
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct backlight_properties props;
struct fb_info *info = pci_get_drvdata(par->pdev);
struct backlight_device *bd;
char name[12];
if (!par->FlatPanel)
return;
#ifdef CONFIG_PMAC_BACKLIGHT
Reported by FlawFinder.
Line: 706
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vBlankEnd = vTotal + 1;
dotClock = 1000000000 / info->var.pixclock;
memcpy(&newmode, ®_template, sizeof(struct riva_regs));
if ((info->var.vmode & FB_VMODE_MASK) == FB_VMODE_INTERLACED)
vTotal |= 1;
if (par->FlatPanel) {
Reported by FlawFinder.
Line: 1938
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if(default_par->riva.Architecture == NV_ARCH_10 ||
default_par->riva.Architecture == NV_ARCH_20 ||
default_par->riva.Architecture == NV_ARCH_30) {
sprintf(rivafb_fix.id, "NV%x", (pd->device & 0x0ff0) >> 4);
} else {
sprintf(rivafb_fix.id, "NV%x", default_par->riva.Architecture);
}
default_par->FlatPanel = flatpanel;
Reported by FlawFinder.
Line: 1940
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
default_par->riva.Architecture == NV_ARCH_30) {
sprintf(rivafb_fix.id, "NV%x", (pd->device & 0x0ff0) >> 4);
} else {
sprintf(rivafb_fix.id, "NV%x", default_par->riva.Architecture);
}
default_par->FlatPanel = flatpanel;
if (flatpanel == 1)
printk(KERN_INFO PFX "flatpanel support enabled\n");
Reported by FlawFinder.