The following issues were found
fs/pstore/ram.c
4 issues
Line: 149
Column: 6
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
char data_type;
int header_length = 0;
if (sscanf(buffer, RAMOOPS_KERNMSG_HDR "%lld.%lu-%c\n%n",
(time64_t *)&time->tv_sec, &time->tv_nsec, &data_type,
&header_length) == 3) {
time->tv_nsec *= 1000;
if (data_type == 'C')
*compressed = true;
Reported by FlawFinder.
Line: 157
Column: 13
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
*compressed = true;
else
*compressed = false;
} else if (sscanf(buffer, RAMOOPS_KERNMSG_HDR "%lld.%lu\n%n",
(time64_t *)&time->tv_sec, &time->tv_nsec,
&header_length) == 2) {
time->tv_nsec *= 1000;
*compressed = false;
} else {
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(record->buf, (char *)persistent_ram_old(prz) + header_length,
size);
persistent_ram_ecc_string(prz, record->buf + size,
record->ecc_notice_size + 1);
Reported by FlawFinder.
Line: 294
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static size_t ramoops_write_kmsg_hdr(struct persistent_ram_zone *prz,
struct pstore_record *record)
{
char hdr[36]; /* "===="(4), %lld(20), "."(1), %06lu(6), "-%c\n"(3) */
size_t len;
len = scnprintf(hdr, sizeof(hdr),
RAMOOPS_KERNMSG_HDR "%lld.%06lu-%c\n",
(time64_t)record->time.tv_sec,
Reported by FlawFinder.
fs/kernfs/symlink.c
4 issues
Line: 77
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if ((s - path) + 3 >= PATH_MAX)
return -ENAMETOOLONG;
strcpy(s, "../");
s += 3;
base = base->parent;
}
/* determine end of target string for reverse fillup */
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int slen = strlen(kn->name);
len -= slen;
memcpy(s + len, kn->name, slen);
if (len)
s[--len] = '/';
kn = kn->parent;
}
Reported by FlawFinder.
Line: 85
Column: 10
CWE codes:
126
/* determine end of target string for reverse fillup */
kn = target;
while (kn->parent && kn != base) {
len += strlen(kn->name) + 1;
kn = kn->parent;
}
/* check limits */
if (len < 2)
Reported by FlawFinder.
Line: 99
Column: 14
CWE codes:
126
/* reverse fillup of target string from target to base */
kn = target;
while (kn->parent && kn != base) {
int slen = strlen(kn->name);
len -= slen;
memcpy(s + len, kn->name, slen);
if (len)
s[--len] = '/';
Reported by FlawFinder.
fs/lockd/mon.c
4 issues
Line: 285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
refcount_set(&new->sm_count, 1);
new->sm_name = (char *)(new + 1);
memcpy(nsm_addr(new), sap, salen);
new->sm_addrlen = salen;
nsm_init_private(new);
if (rpc_ntop(nsm_addr(new), new->sm_addrbuf,
sizeof(new->sm_addrbuf)) == 0)
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(new->sm_addrbuf)) == 0)
(void)snprintf(new->sm_addrbuf, sizeof(new->sm_addrbuf),
"unsupported address family");
memcpy(new->sm_name, hostname, hostname_len);
new->sm_name[hostname_len] = '\0';
return new;
}
Reported by FlawFinder.
Line: 216
Column: 7
CWE codes:
126
struct nsm_handle *nsm;
list_for_each_entry(nsm, nsm_handles, sm_link)
if (strlen(nsm->sm_name) == len &&
memcmp(nsm->sm_name, hostname, len) == 0)
return nsm;
return NULL;
}
Reported by FlawFinder.
Line: 426
Column: 18
CWE codes:
126
static void encode_nsm_string(struct xdr_stream *xdr, const char *string)
{
const u32 len = strlen(string);
__be32 *p;
p = xdr_reserve_space(xdr, 4 + len);
xdr_encode_opaque(p, string, len);
}
Reported by FlawFinder.
fs/namespace.c
4 issues
Line: 3186
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Basic sanity checks */
if (data_page)
((char *)data_page)[PAGE_SIZE - 1] = 0;
if (flags & MS_NOUSER)
return -EINVAL;
ret = security_sb_mount(dev_name, path, type_page, flags, data_page);
Reported by FlawFinder.
Line: 1019
Column: 14
CWE codes:
126
if (name)
ret = vfs_parse_fs_string(fc, "source",
name, strlen(name));
if (!ret)
ret = parse_monolithic_mount_data(fc, data);
if (!ret)
mnt = fc_mount(fc);
else
Reported by FlawFinder.
Line: 2911
Column: 17
CWE codes:
126
if (subtype)
err = vfs_parse_fs_string(fc, "subtype",
subtype, strlen(subtype));
if (!err && name)
err = vfs_parse_fs_string(fc, "source", name, strlen(name));
if (!err)
err = parse_monolithic_mount_data(fc, data);
if (!err && !mount_capable(fc))
Reported by FlawFinder.
Line: 2913
Column: 49
CWE codes:
126
err = vfs_parse_fs_string(fc, "subtype",
subtype, strlen(subtype));
if (!err && name)
err = vfs_parse_fs_string(fc, "source", name, strlen(name));
if (!err)
err = parse_monolithic_mount_data(fc, data);
if (!err && !mount_capable(fc))
err = -EPERM;
if (!err)
Reported by FlawFinder.
fs/nfs/client.c
4 issues
Line: 167
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
refcount_set(&clp->cl_count, 1);
clp->cl_cons_state = NFS_CS_INITING;
memcpy(&clp->cl_addr, cl_init->addr, cl_init->addrlen);
clp->cl_addrlen = cl_init->addrlen;
if (cl_init->hostname) {
err = -ENOMEM;
clp->cl_hostname = kstrdup(cl_init->hostname, GFP_KERNEL);
Reported by FlawFinder.
Line: 737
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Preserve the values of mount_server-related mount options */
if (ctx->mount_server.addrlen) {
memcpy(&server->mountd_address, &ctx->mount_server.address,
ctx->mount_server.addrlen);
server->mountd_addrlen = ctx->mount_server.addrlen;
}
server->mountd_version = ctx->mount_server.version;
server->mountd_port = ctx->mount_server.port;
Reported by FlawFinder.
Line: 1270
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct nfs_server *server;
struct nfs_client *clp;
char dev[13]; // 8 for 2^24, 1 for ':', 3 for 2^8, 1 for '\0'
char fsid[34]; // 2 * 16 for %llx, 1 for ':', 1 for '\0'
struct nfs_net *nn = net_generic(seq_file_net(m), nfs_net_id);
/* display header on line 1 */
if (v == &nn->nfs_volume_list) {
Reported by FlawFinder.
Line: 1271
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nfs_server *server;
struct nfs_client *clp;
char dev[13]; // 8 for 2^24, 1 for ':', 3 for 2^8, 1 for '\0'
char fsid[34]; // 2 * 16 for %llx, 1 for ':', 1 for '\0'
struct nfs_net *nn = net_generic(seq_file_net(m), nfs_net_id);
/* display header on line 1 */
if (v == &nn->nfs_volume_list) {
seq_puts(m, "NV SERVER PORT DEV FSID"
Reported by FlawFinder.
fs/nfs/dir.c
4 issues
Line: 2901
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
else
cache.mask |= NFS_ACCESS_EXECUTE;
cache.cred = cred;
status = NFS_PROTO(inode)->access(inode, &cache);
if (status != 0) {
if (status == -ESTALE) {
if (!S_ISDIR(inode->i_mode))
nfs_set_inode_stale(inode);
else
Reported by FlawFinder.
Line: 2994
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
force_lookup:
if (!NFS_PROTO(inode)->access)
goto out_notsup;
res = nfs_do_access(inode, cred, mask);
out:
if (!res && (mask & MAY_EXEC))
Reported by FlawFinder.
Line: 2339
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
kaddr = page_address(page);
memcpy(kaddr, symname, pathlen);
if (pathlen < PAGE_SIZE)
memset(kaddr + pathlen, 0, PAGE_SIZE - pathlen);
trace_nfs_symlink_enter(dir, dentry);
error = NFS_PROTO(dir)->symlink(dir, dentry, page, pathlen, &attr);
Reported by FlawFinder.
Line: 2322
Column: 25
CWE codes:
126
struct page *page;
char *kaddr;
struct iattr attr;
unsigned int pathlen = strlen(symname);
int error;
dfprintk(VFS, "NFS: symlink(%s/%lu, %pd, %s)\n", dir->i_sb->s_id,
dir->i_ino, dentry, symname);
Reported by FlawFinder.
fs/nfs/dns_resolve.c
4 issues
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new = container_of(cnew, struct nfs_dns_ent, h);
key = container_of(ckey, struct nfs_dns_ent, h);
memcpy(&new->addr, &key->addr, key->addrlen);
new->addrlen = key->addrlen;
}
static void nfs_dns_ent_init(struct cache_head *cnew,
struct cache_head *ckey)
Reported by FlawFinder.
Line: 193
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ttl = 0;
if (!test_bit(CACHE_NEGATIVE, &h->flags)) {
char buf[INET6_ADDRSTRLEN+IPV6_SCOPE_ID_LEN+1];
rpc_ntop((struct sockaddr *)&item->addr, buf, sizeof(buf));
seq_printf(m, "%15s ", buf);
} else
seq_puts(m, "<none> ");
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int nfs_dns_parse(struct cache_detail *cd, char *buf, int buflen)
{
char buf1[NFS_DNS_HOSTNAME_MAXLEN+1];
struct nfs_dns_ent key, *item;
unsigned int ttl;
ssize_t len;
int ret = -EINVAL;
Reported by FlawFinder.
Line: 357
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = do_cache_lookup_wait(nn->nfs_dns_resolve, &key, &item);
if (ret == 0) {
if (salen >= item->addrlen) {
memcpy(sa, &item->addr, item->addrlen);
ret = item->addrlen;
} else
ret = -EOVERFLOW;
cache_put(&item->h, nn->nfs_dns_resolve);
} else if (ret == -ENOENT)
Reported by FlawFinder.
fs/orangefs/super.c
4 issues
Line: 255
Column: 2
CWE codes:
120
new_op = op_alloc(ORANGEFS_VFS_OP_FS_MOUNT);
if (!new_op)
return -ENOMEM;
strncpy(new_op->upcall.req.fs_mount.orangefs_config_server,
orangefs_sb->devname,
ORANGEFS_MAX_SERVER_ADDR_LEN);
gossip_debug(GOSSIP_SUPER_DEBUG,
"Attempting ORANGEFS Remount via host %s\n",
Reported by FlawFinder.
Line: 402
Column: 2
CWE codes:
120
return -ENOMEM;
op->upcall.req.fs_umount.id = id;
op->upcall.req.fs_umount.fs_id = fs_id;
strncpy(op->upcall.req.fs_umount.orangefs_config_server,
devname, ORANGEFS_MAX_SERVER_ADDR_LEN - 1);
r = service_operation(op, "orangefs_fs_umount", 0);
/* Not much to do about an error here. */
if (r)
gossip_err("orangefs_unmount: service_operation %d\n", r);
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
120
if (!new_op)
return ERR_PTR(-ENOMEM);
strncpy(new_op->upcall.req.fs_mount.orangefs_config_server,
devname,
ORANGEFS_MAX_SERVER_ADDR_LEN - 1);
gossip_debug(GOSSIP_SUPER_DEBUG,
"Attempting ORANGEFS Mount via host %s\n",
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
120
* on successful mount, store the devname and data
* used
*/
strncpy(ORANGEFS_SB(sb)->devname,
devname,
ORANGEFS_MAX_SERVER_ADDR_LEN - 1);
/* mount_pending must be cleared */
ORANGEFS_SB(sb)->mount_pending = 0;
Reported by FlawFinder.
fs/nfs/namespace.c
4 issues
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buflen < 0)
goto Elong_unlock;
end -= namelen;
memcpy(end, dentry->d_name.name, namelen);
*--end = '/';
spin_unlock(&dentry->d_lock);
dentry = dentry->d_parent;
}
if (read_seqretry(&rename_lock, seq)) {
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto Elong;
}
end -= namelen;
memcpy(end, base, namelen);
spin_unlock(&dentry->d_lock);
rcu_read_unlock();
return end;
Elong_unlock:
spin_unlock(&dentry->d_lock);
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* for submounts we want the same server; referrals will reassign */
memcpy(&ctx->nfs_server.address, &client->cl_addr, client->cl_addrlen);
ctx->nfs_server.addrlen = client->cl_addrlen;
ctx->nfs_server.port = server->port;
ctx->version = client->rpc_ops->version;
ctx->minorversion = client->cl_minorversion;
Reported by FlawFinder.
Line: 106
Column: 12
CWE codes:
126
WARN_ON(1);
return end;
}
namelen = strlen(base);
if (*end == '/') {
/* Strip off excess slashes in base string */
while (namelen > 0 && base[namelen - 1] == '/')
namelen--;
}
Reported by FlawFinder.
drivers/watchdog/pika_wdt.c
4 issues
Line: 52
Column: 16
CWE codes:
362
static struct {
void __iomem *fpga;
unsigned long next_heartbeat; /* the next_heartbeat for the timer */
unsigned long open;
char expect_close;
int bootstatus;
struct timer_list timer; /* The timer that pings the watchdog */
} pikawdt_private;
Reported by FlawFinder.
Line: 92
Column: 35
CWE codes:
362
static void pikawdt_ping(struct timer_list *unused)
{
if (time_before(jiffies, pikawdt_private.next_heartbeat) ||
(!nowayout && !pikawdt_private.open)) {
pikawdt_reset();
mod_timer(&pikawdt_private.timer, jiffies + WDT_TIMEOUT);
} else
pr_crit("I will reset your machine !\n");
}
Reported by FlawFinder.
Line: 117
Column: 43
CWE codes:
362
static int pikawdt_open(struct inode *inode, struct file *file)
{
/* /dev/watchdog can only be opened once */
if (test_and_set_bit(0, &pikawdt_private.open))
return -EBUSY;
pikawdt_start();
return stream_open(inode, file);
Reported by FlawFinder.
Line: 134
Column: 32
CWE codes:
362
if (!pikawdt_private.expect_close)
del_timer(&pikawdt_private.timer);
clear_bit(0, &pikawdt_private.open);
pikawdt_private.expect_close = 0;
return 0;
}
/*
Reported by FlawFinder.