The following issues were found
fs/nls/nls_euc-jp.c
3 issues
Line: 147
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* EUC to SJIS IBM extended characters map (G3 JIS X 0212 block) */
static struct {
unsigned short euc;
unsigned char sjis[2];
} euc2sjisibm_jisx0212_map[] = {
{0xA2C3, {0xFA, 0x55}}, {0xB0A9, {0xFA, 0x68}}, {0xB0C8, {0xFA, 0x69}},
{0xB0D2, {0xFA, 0x6B}}, {0xB0D4, {0xFA, 0x6C}}, {0xB0E3, {0xFA, 0x6D}},
{0xB0EE, {0xFA, 0x6E}}, {0xB1A3, {0xFA, 0x70}}, {0xB1A7, {0xFA, 0x6F}},
{0xB1A9, {0xFA, 0x72}}, {0xB1AC, {0xFA, 0x71}}, {0xB1BB, {0xFA, 0x61}},
Reported by FlawFinder.
Line: 449
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MAP_SJIS2EUC(ch, cl, 0xF5, out[1], out[2], 0xF5);
} else if (IS_SJIS_IBM(out[0], out[1])) {
/* IBM extended characters */
unsigned char euc[3], i;
n = sjisibm2euc(euc, out[0], out[1]);
if (boundlen < n)
return -ENAMETOOLONG;
for (i = 0; i < n; i++)
Reported by FlawFinder.
Line: 482
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int char2uni(const unsigned char *rawstring, int boundlen,
wchar_t *uni)
{
unsigned char sjis_temp[2];
int euc_offset, n;
if ( !p_nls )
return -EINVAL;
if (boundlen <= 0)
Reported by FlawFinder.
fs/cachefiles/key.c
3 issues
Line: 11
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/slab.h>
#include "internal.h"
static const char cachefiles_charmap[64] =
"0123456789" /* 0 - 9 */
"abcdefghijklmnopqrstuvwxyz" /* 10 - 35 */
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" /* 36 - 61 */
"_-" /* 62 - 63 */
;
Reported by FlawFinder.
Line: 18
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"_-" /* 62 - 63 */
;
static const char cachefiles_filecharmap[256] = {
/* we skip space and tab and control chars */
[33 ... 46] = 1, /* '!' -> '.' */
/* we skip '/' as it's significant to pathwalk */
[48 ... 127] = 1, /* '0' -> '~' */
};
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len = 0;
/* build the cooked key */
sprintf(key, "@%02x%c+", (unsigned) csum, 0);
len = 5;
mark = len - 1;
if (print) {
acc = *(uint16_t *) raw;
Reported by FlawFinder.
drivers/video/fbdev/simplefb.c
3 issues
Line: 341
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Get all the regulators */
for_each_property_of_node(np, prop) {
char name[32]; /* 32 is max size of property name */
p = strstr(prop->name, SUPPLY_SUFFIX);
if (!p || p == prop->name)
continue;
Reported by FlawFinder.
Line: 348
Column: 4
CWE codes:
126
continue;
strlcpy(name, prop->name,
strlen(prop->name) - strlen(SUPPLY_SUFFIX) + 1);
regulator = devm_regulator_get_optional(&pdev->dev, name);
if (IS_ERR(regulator)) {
if (PTR_ERR(regulator) == -EPROBE_DEFER)
return -EPROBE_DEFER;
dev_err(&pdev->dev, "regulator %s not found: %ld\n",
Reported by FlawFinder.
Line: 348
Column: 25
CWE codes:
126
continue;
strlcpy(name, prop->name,
strlen(prop->name) - strlen(SUPPLY_SUFFIX) + 1);
regulator = devm_regulator_get_optional(&pdev->dev, name);
if (IS_ERR(regulator)) {
if (PTR_ERR(regulator) == -EPROBE_DEFER)
return -EPROBE_DEFER;
dev_err(&pdev->dev, "regulator %s not found: %ld\n",
Reported by FlawFinder.
include/drm/drm_connector.h
3 issues
Line: 1098
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*
* Name of the mode.
*/
char name[DRM_DISPLAY_MODE_LEN];
/**
* @specified:
*
* Has a mode been read from the command-line?
Reported by FlawFinder.
Line: 1724
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct drm_tile_group *drm_mode_create_tile_group(struct drm_device *dev,
const char topology[8]);
struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
const char topology[8]);
void drm_mode_put_tile_group(struct drm_device *dev,
struct drm_tile_group *tg);
Reported by FlawFinder.
Line: 1726
Column: 19
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct drm_tile_group *drm_mode_create_tile_group(struct drm_device *dev,
const char topology[8]);
struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
const char topology[8]);
void drm_mode_put_tile_group(struct drm_device *dev,
struct drm_tile_group *tg);
/**
* struct drm_connector_list_iter - connector_list iterator
Reported by FlawFinder.
drivers/xen/pvcalls-front.c
3 issues
Line: 206
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst = (uint8_t *)&bedata->rsp[req_id] +
sizeof(rsp->req_id);
src = (uint8_t *)rsp + sizeof(rsp->req_id);
memcpy(dst, src, sizeof(*rsp) - sizeof(rsp->req_id));
/*
* First copy the rest of the data, then req_id. It is
* paired with the barrier when accessing bedata->rsp.
*/
smp_wmb();
Reported by FlawFinder.
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->u.connect.flags = flags;
req->u.connect.ref = map->active.ref;
req->u.connect.evtchn = evtchn;
memcpy(req->u.connect.addr, addr, sizeof(*addr));
map->sock = sock;
bedata->ring.req_prod_pvt++;
RING_PUSH_REQUESTS_AND_CHECK_NOTIFY(&bedata->ring, notify);
Reported by FlawFinder.
Line: 688
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
map->sock = sock;
req->cmd = PVCALLS_BIND;
req->u.bind.id = (uintptr_t)map;
memcpy(req->u.bind.addr, addr, sizeof(*addr));
req->u.bind.len = addr_len;
init_waitqueue_head(&map->passive.inflight_accept_req);
map->active_socket = false;
Reported by FlawFinder.
include/kunit/test.h
3 issues
Line: 231
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* to run it.
*/
struct kunit_suite {
const char name[256];
int (*init)(struct kunit *test);
void (*exit)(struct kunit *test);
struct kunit_case *test_cases;
/* private: internal use only */
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kunit_case *test_cases;
/* private: internal use only */
char status_comment[KUNIT_STATUS_COMMENT_SIZE];
struct dentry *debugfs;
char *log;
};
/**
Reported by FlawFinder.
Line: 280
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct list_head resources; /* Protected by lock. */
char status_comment[KUNIT_STATUS_COMMENT_SIZE];
};
static inline void kunit_set_failure(struct kunit *test)
{
WRITE_ONCE(test->status, KUNIT_FAILURE);
Reported by FlawFinder.
fs/btrfs/transaction.c
3 issues
Line: 1647
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto fail;
}
btrfs_set_root_last_snapshot(&root->root_item, trans->transid);
memcpy(new_root_item, &root->root_item, sizeof(*new_root_item));
btrfs_check_and_init_root_item(new_root_item);
root_flags = btrfs_root_flags(new_root_item);
if (pending->readonly)
root_flags |= BTRFS_ROOT_SUBVOL_RDONLY;
Reported by FlawFinder.
Line: 1660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
btrfs_set_root_generation_v2(new_root_item,
trans->transid);
generate_random_guid(new_root_item->uuid);
memcpy(new_root_item->parent_uuid, root->root_item.uuid,
BTRFS_UUID_SIZE);
if (!(root_flags & BTRFS_ROOT_SUBVOL_RDONLY)) {
memset(new_root_item->received_uuid, 0,
sizeof(new_root_item->received_uuid));
memset(&new_root_item->stime, 0, sizeof(new_root_item->stime));
Reported by FlawFinder.
Line: 2321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
btrfs_set_super_log_root(fs_info->super_copy, 0);
btrfs_set_super_log_root_level(fs_info->super_copy, 0);
memcpy(fs_info->super_for_commit, fs_info->super_copy,
sizeof(*fs_info->super_copy));
btrfs_commit_device_sizes(cur_trans);
clear_bit(BTRFS_FS_LOG1_ERR, &fs_info->flags);
Reported by FlawFinder.
include/kvm/iodev.h
3 issues
Line: 18
Column: 8
CWE codes:
120
20
* or non-zero to have it passed to the next device.
**/
struct kvm_io_device_ops {
int (*read)(struct kvm_vcpu *vcpu,
struct kvm_io_device *this,
gpa_t addr,
int len,
void *val);
int (*write)(struct kvm_vcpu *vcpu,
Reported by FlawFinder.
Line: 46
Column: 19
CWE codes:
120
20
struct kvm_io_device *dev, gpa_t addr,
int l, void *v)
{
return dev->ops->read ? dev->ops->read(vcpu, dev, addr, l, v)
: -EOPNOTSUPP;
}
static inline int kvm_iodevice_write(struct kvm_vcpu *vcpu,
struct kvm_io_device *dev, gpa_t addr,
Reported by FlawFinder.
Line: 46
Column: 36
CWE codes:
120
20
struct kvm_io_device *dev, gpa_t addr,
int l, void *v)
{
return dev->ops->read ? dev->ops->read(vcpu, dev, addr, l, v)
: -EOPNOTSUPP;
}
static inline int kvm_iodevice_write(struct kvm_vcpu *vcpu,
struct kvm_io_device *dev, gpa_t addr,
Reported by FlawFinder.
fs/pstore/blk.c
3 issues
Line: 63
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* blkdev - the block device to use for pstore storage
* See Documentation/admin-guide/pstore-blk.rst for details.
*/
static char blkdev[80] = CONFIG_PSTORE_BLK_BLKDEV;
module_param_string(blkdev, blkdev, 80, 0400);
MODULE_PARM_DESC(blkdev, "block device for pstore storage");
/*
* All globals must only be accessed under the pstore_blk_lock
Reported by FlawFinder.
Line: 111
Column: 17
CWE codes:
120
20
pr_err("zero sized device\n");
return -EINVAL;
}
if (!dev->zone.read) {
pr_err("no read handler for device\n");
return -EINVAL;
}
if (!dev->zone.write) {
pr_err("no write handler for device\n");
Reported by FlawFinder.
Line: 246
Column: 2
CWE codes:
120
/* get information of pstore/blk */
int pstore_blk_get_config(struct pstore_blk_config *info)
{
strncpy(info->device, blkdev, 80);
info->max_reason = max_reason;
info->kmsg_size = check_size(kmsg_size, 4096);
info->pmsg_size = check_size(pmsg_size, 4096);
info->ftrace_size = check_size(ftrace_size, 4096);
info->console_size = check_size(console_size, 4096);
Reported by FlawFinder.
include/linux/acpi.h
3 issues
Line: 647
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Table must be terminted by a NULL entry */
struct acpi_platform_list {
char oem_id[ACPI_OEM_ID_SIZE+1];
char oem_table_id[ACPI_OEM_TABLE_ID_SIZE+1];
u32 oem_revision;
char *table;
enum acpi_predicate pred;
char *reason;
Reported by FlawFinder.
Line: 648
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Table must be terminted by a NULL entry */
struct acpi_platform_list {
char oem_id[ACPI_OEM_ID_SIZE+1];
char oem_table_id[ACPI_OEM_TABLE_ID_SIZE+1];
u32 oem_revision;
char *table;
enum acpi_predicate pred;
char *reason;
u32 data;
Reported by FlawFinder.
Line: 641
Column: 2
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
enum acpi_predicate {
all_versions,
less_than_or_equal,
equal,
greater_than_or_equal,
};
/* Table must be terminted by a NULL entry */
struct acpi_platform_list {
Reported by FlawFinder.