The following issues were found
fs/block_dev.c
3 issues
Line: 67
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spin_unlock(&inode->i_lock);
ret = write_inode_now(inode, true);
if (ret) {
char name[BDEVNAME_SIZE];
pr_warn_ratelimited("VFS: Dirty inode writeback failed "
"for block device %s (err=%d).\n",
bdevname(bdev, name), ret);
}
spin_lock(&inode->i_lock);
Reported by FlawFinder.
Line: 1252
Column: 18
CWE codes:
362
struct gendisk *disk = bdev->bd_disk;
int ret = 0;
if (disk->fops->open) {
ret = disk->fops->open(bdev, mode);
if (ret) {
/* avoid ghost partitions on a removed medium */
if (ret == -ENOMEDIUM &&
test_bit(GD_NEED_PART_SCAN, &disk->state))
Reported by FlawFinder.
Line: 1253
Column: 21
CWE codes:
362
int ret = 0;
if (disk->fops->open) {
ret = disk->fops->open(bdev, mode);
if (ret) {
/* avoid ghost partitions on a removed medium */
if (ret == -ENOMEDIUM &&
test_bit(GD_NEED_PART_SCAN, &disk->state))
bdev_disk_changed(disk, true);
Reported by FlawFinder.
fs/bfs/inode.c
3 issues
Line: 29
Column: 23
CWE codes:
134
Suggestion:
Use a constant for the format specification
#undef DEBUG
#ifdef DEBUG
#define dprintf(x...) printf(x)
#else
#define dprintf(x...)
#endif
struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
Reported by FlawFinder.
Line: 302
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
for (i = BFS_SB(s)->si_lasti; i >= 0; i--) {
if (i > PAGE_SIZE - 100) break;
if (test_bit(i, BFS_SB(s)->si_imap))
strcat(tmpbuf, "1");
else
strcat(tmpbuf, "0");
}
printf("%s: lasti=%08lx <%s>\n", prefix, BFS_SB(s)->si_lasti, tmpbuf);
free_page((unsigned long)tmpbuf);
Reported by FlawFinder.
Line: 304
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (test_bit(i, BFS_SB(s)->si_imap))
strcat(tmpbuf, "1");
else
strcat(tmpbuf, "0");
}
printf("%s: lasti=%08lx <%s>\n", prefix, BFS_SB(s)->si_lasti, tmpbuf);
free_page((unsigned long)tmpbuf);
#endif
}
Reported by FlawFinder.
fs/nfs/nfstrace.h
3 issues
Line: 867
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->dev = dir->i_sb->s_dev;
__entry->dir = NFS_FILEID(dir);
__entry->error = -error;
memcpy(__get_str(name),
data->args.name.name, len);
__get_str(name)[len] = 0;
),
TP_printk(
Reported by FlawFinder.
Line: 1140
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->arg_count = hdr->args.count;
__entry->res_count = hdr->res.count;
__entry->stable = verf->committed;
memcpy(__entry->verifier,
&verf->verifier,
NFS4_VERIFIER_SIZE);
__entry->dev = inode->i_sb->s_dev;
__entry->fileid = nfsi->fileid;
__entry->fhandle = nfs_fhandle_hash(fh);
Reported by FlawFinder.
Line: 1273
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->status = task->tk_status;
__entry->offset = data->args.offset;
__entry->stable = verf->committed;
memcpy(__entry->verifier,
&verf->verifier,
NFS4_VERIFIER_SIZE);
__entry->dev = inode->i_sb->s_dev;
__entry->fileid = nfsi->fileid;
__entry->fhandle = nfs_fhandle_hash(fh);
Reported by FlawFinder.
include/linux/regset.h
3 issues
Line: 42
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (s->left) {
if (size > s->left)
size = s->left;
memcpy(s->p, v, size);
s->p += size;
s->left -= size;
}
return s->left;
}
Reported by FlawFinder.
Line: 70
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t __size = sizeof(__v); \
if (unlikely(__size > __s->left)) { \
__size = __s->left; \
memcpy(__s->p, &__v, __size); \
} else { \
*(typeof(__v + 0) *)__s->p = __v; \
} \
__s->p += __size; \
__s->left -= __size; \
Reported by FlawFinder.
Line: 266
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
: min(*count, end_pos - *pos));
data += *pos - start_pos;
if (*kbuf) {
memcpy(data, *kbuf, copy);
*kbuf += copy;
} else if (__copy_from_user(data, *ubuf, copy))
return -EFAULT;
else
*ubuf += copy;
Reported by FlawFinder.
include/linux/kernfs.h
3 issues
Line: 109
Column: 27
CWE codes:
362
struct kernfs_elem_attr {
const struct kernfs_ops *ops;
struct kernfs_open_node *open;
loff_t size;
struct kernfs_node *notify_next; /* for kernfs_notify() */
};
/*
Reported by FlawFinder.
Line: 222
Column: 8
CWE codes:
362
* Optional open/release methods. Both are called with
* @of->seq_file populated.
*/
int (*open)(struct kernfs_open_file *of);
void (*release)(struct kernfs_open_file *of);
/*
* Read is handled by either seq_file or raw_read().
*
Reported by FlawFinder.
Line: 242
Column: 12
CWE codes:
120
20
void *(*seq_next)(struct seq_file *sf, void *v, loff_t *ppos);
void (*seq_stop)(struct seq_file *sf, void *v);
ssize_t (*read)(struct kernfs_open_file *of, char *buf, size_t bytes,
loff_t off);
/*
* write() is bounced through kernel buffer. If atomic_write_len
* is not set, a write larger than PAGE_SIZE results in partial
Reported by FlawFinder.
include/linux/can/dev.h
3 issues
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_CAN_LEDS
struct led_trigger *tx_led_trig;
char tx_led_trig_name[CAN_LED_NAME_SZ];
struct led_trigger *rx_led_trig;
char rx_led_trig_name[CAN_LED_NAME_SZ];
struct led_trigger *rxtx_led_trig;
char rxtx_led_trig_name[CAN_LED_NAME_SZ];
#endif
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct led_trigger *tx_led_trig;
char tx_led_trig_name[CAN_LED_NAME_SZ];
struct led_trigger *rx_led_trig;
char rx_led_trig_name[CAN_LED_NAME_SZ];
struct led_trigger *rxtx_led_trig;
char rxtx_led_trig_name[CAN_LED_NAME_SZ];
#endif
};
Reported by FlawFinder.
Line: 87
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct led_trigger *rx_led_trig;
char rx_led_trig_name[CAN_LED_NAME_SZ];
struct led_trigger *rxtx_led_trig;
char rxtx_led_trig_name[CAN_LED_NAME_SZ];
#endif
};
/* helper to define static CAN controller features at device creation time */
Reported by FlawFinder.
include/linux/cdrom.h
3 issues
Line: 21
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct packet_command
{
unsigned char cmd[CDROM_PACKET_SIZE];
unsigned char *buffer;
unsigned int buflen;
int stat;
struct scsi_sense_hdr *sshdr;
unsigned char data_direction;
Reported by FlawFinder.
Line: 55
Column: 6
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int vfs_events; /* cached events for vfs path */
unsigned int ioctl_events; /* cached events for ioctl path */
int use_count; /* number of times device opened */
char name[20]; /* name of the device type */
/* per-device flags */
__u8 sanyo_slot : 2; /* Sanyo 3 CD changer support */
__u8 keeplocked : 1; /* CDROM_LOCKDOOR status */
__u8 reserved : 5; /* not used yet */
int cdda_method; /* see flags */
Reported by FlawFinder.
Line: 71
Column: 8
CWE codes:
362
struct cdrom_device_ops {
/* routines */
int (*open) (struct cdrom_device_info *, int);
void (*release) (struct cdrom_device_info *);
int (*drive_status) (struct cdrom_device_info *, int);
unsigned int (*check_events) (struct cdrom_device_info *cdi,
unsigned int clearing, int slot);
int (*tray_move) (struct cdrom_device_info *, int);
Reported by FlawFinder.
fs/lockd/host.c
3 issues
Line: 137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(nlm_addr(host), ni->sap, ni->salen);
host->h_addrlen = ni->salen;
rpc_set_port(nlm_addr(host), 0);
host->h_srcaddrlen = 0;
host->h_rpcclnt = NULL;
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(host == NULL))
goto out;
memcpy(nlm_srcaddr(host), src_sap, src_len);
host->h_srcaddrlen = src_len;
hlist_add_head(&host->h_hash, chain);
ln->nrhosts++;
nrhosts++;
Reported by FlawFinder.
Line: 232
Column: 19
CWE codes:
126
.protocol = protocol,
.version = version,
.hostname = hostname,
.hostname_len = strlen(hostname),
.noresvport = noresvport,
.net = net,
.cred = cred,
};
struct hlist_head *chain;
Reported by FlawFinder.
fs/ocfs2/dlmfs/dlmfs.c
3 issues
Line: 228
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count,
loff_t *ppos)
{
char lvb[DLM_LVB_LEN];
if (!user_dlm_read_lvb(file_inode(file), lvb))
return 0;
return simple_read_from_buffer(buf, count, ppos, lvb, sizeof(lvb));
Reported by FlawFinder.
Line: 241
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count,
loff_t *ppos)
{
char lvb_buf[DLM_LVB_LEN];
int bytes_left;
struct inode *inode = file_inode(filp);
mlog(0, "inode %lu, count = %zu, *ppos = %llu\n",
inode->i_ino, count, *ppos);
Reported by FlawFinder.
Line: 84
Column: 10
CWE codes:
126
const struct kernel_param *kp)
{
return strlcpy(buffer, DLMFS_CAPABILITIES,
strlen(DLMFS_CAPABILITIES) + 1);
}
module_param_call(capabilities, param_set_dlmfs_capabilities,
param_get_dlmfs_capabilities, NULL, 0444);
MODULE_PARM_DESC(capabilities, DLMFS_CAPABILITIES);
Reported by FlawFinder.
fs/proc/namespaces.c
3 issues
Line: 76
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode *inode = d_inode(dentry);
const struct proc_ns_operations *ns_ops = PROC_I(inode)->ns_ops;
struct task_struct *task;
char name[50];
int res = -EACCES;
task = get_proc_task(inode);
if (!task)
return res;
Reported by FlawFinder.
Line: 134
Column: 46
CWE codes:
126
last = &ns_entries[ARRAY_SIZE(ns_entries) - 1];
while (entry <= last) {
const struct proc_ns_operations *ops = *entry;
if (!proc_fill_cache(file, ctx, ops->name, strlen(ops->name),
proc_ns_instantiate, task, ops))
break;
ctx->pos++;
entry++;
}
Reported by FlawFinder.
Line: 164
Column: 7
CWE codes:
126
last = &ns_entries[ARRAY_SIZE(ns_entries)];
for (entry = ns_entries; entry < last; entry++) {
if (strlen((*entry)->name) != len)
continue;
if (!memcmp(dentry->d_name.name, (*entry)->name, len))
break;
}
if (entry == last)
Reported by FlawFinder.