The following issues were found
fs/proc/kcore.c
3 issues
Line: 305
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
note->n_descsz = descsz;
note->n_type = type;
*i += sizeof(*note);
memcpy(¬es[*i], name, note->n_namesz);
*i = ALIGN(*i + note->n_namesz, 4);
memcpy(¬es[*i], desc, descsz);
*i = ALIGN(*i + descsz, 4);
}
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*i += sizeof(*note);
memcpy(¬es[*i], name, note->n_namesz);
*i = ALIGN(*i + note->n_namesz, 4);
memcpy(¬es[*i], desc, descsz);
*i = ALIGN(*i + descsz, 4);
}
static ssize_t
read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
Reported by FlawFinder.
Line: 301
Column: 19
CWE codes:
126
{
struct elf_note *note = (struct elf_note *)¬es[*i];
note->n_namesz = strlen(name) + 1;
note->n_descsz = descsz;
note->n_type = type;
*i += sizeof(*note);
memcpy(¬es[*i], name, note->n_namesz);
*i = ALIGN(*i + note->n_namesz, 4);
Reported by FlawFinder.
fs/befs/befs_fs_types.h
3 issues
Line: 114
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* The Superblock Structure
*/
typedef struct {
char name[B_OS_NAME_LENGTH];
fs32 magic1;
fs32 fs_byte_order;
fs32 block_size;
fs32 block_shift;
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fs32 type;
fs16 name_size;
fs16 data_size;
char name[1];
} PACKED befs_small_data;
/* Inode structure */
typedef struct {
fs32 magic1;
Reported by FlawFinder.
Line: 194
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
befs_disk_data_stream datastream;
char symlink[BEFS_SYMLINK_LEN];
} data;
fs32 pad[4]; /* not use */
befs_small_data small_data[1];
} PACKED befs_inode;
Reported by FlawFinder.
include/linux/sunrpc/cache.h
3 issues
Line: 251
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int get_int(char **bpp, int *anint)
{
char buf[50];
char *ep;
int rv;
int len = qword_get(bpp, buf, sizeof(buf));
if (len < 0)
Reported by FlawFinder.
Line: 271
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int get_uint(char **bpp, unsigned int *anint)
{
char buf[50];
int len = qword_get(bpp, buf, sizeof(buf));
if (len < 0)
return -EINVAL;
if (len == 0)
Reported by FlawFinder.
Line: 287
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int get_time(char **bpp, time64_t *time)
{
char buf[50];
long long ll;
int len = qword_get(bpp, buf, sizeof(buf));
if (len < 0)
return -EINVAL;
Reported by FlawFinder.
include/linux/cper.h
3 issues
Line: 325
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Record Header, UEFI v2.7 sec N.2.1 */
struct cper_record_header {
char signature[CPER_SIG_SIZE]; /* must be CPER_SIG_RECORD */
u16 revision; /* must be CPER_RECORD_REV */
u32 signature_end; /* must be CPER_SIG_END */
u16 section_count;
u32 error_severity;
u32 validation_bits;
Reported by FlawFinder.
Line: 370
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 level;
u16 reserved;
u64 cpu_version;
char cpu_brand[128];
u64 proc_id;
u64 target_addr;
u64 requestor_id;
u64 responder_id;
u64 ip;
Reported by FlawFinder.
Line: 556
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Reset to default packing */
#pragma pack()
extern const char *const cper_proc_error_type_strs[4];
u64 cper_next_record_id(void);
const char *cper_severity_str(unsigned int);
const char *cper_mem_err_type_str(unsigned int);
void cper_print_bits(const char *prefix, unsigned int bits,
Reported by FlawFinder.
fs/afs/vlclient.c
3 issues
Line: 163
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bp = call->request;
*bp++ = htonl(VLGETENTRYBYNAMEU);
*bp++ = htonl(volnamesz);
memcpy(bp, volname, volnamesz);
if (padsz > 0)
memset((void *)bp + volnamesz, 0, padsz);
trace_afs_make_vl_call(call);
afs_make_call(&vc->ac, call, GFP_KERNEL);
Reported by FlawFinder.
Line: 643
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bp = call->request;
*bp++ = htonl(YVLGETENDPOINTS);
*bp++ = htonl(YFS_SERVER_UUID);
memcpy(bp, uuid, sizeof(*uuid)); /* Type opr_uuid */
trace_afs_make_vl_call(call);
afs_make_call(&vc->ac, call, GFP_KERNEL);
return (struct afs_addr_list *)afs_wait_for_call_to_complete(call, &vc->ac);
}
Reported by FlawFinder.
Line: 42
Column: 20
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(uvldb->name) - 1; i++)
entry->name[i] = (u8)ntohl(uvldb->name[i]);
entry->name[i] = 0;
entry->name_len = strlen(entry->name);
/* If there is a new replication site that we can use, ignore all the
* sites that aren't marked as new.
*/
for (i = 0; i < nr_servers; i++) {
Reported by FlawFinder.
fs/afs/vl_list.c
3 issues
Line: 27
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vlserver->rtt = UINT_MAX;
vlserver->name_len = name_len;
vlserver->port = port;
memcpy(vlserver->name, name, name_len);
}
return vlserver;
}
static void afs_vlserver_rcu(struct rcu_head *rcu)
Reported by FlawFinder.
Line: 118
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
_leave(" = -EINVAL [short inet]");
goto error;
}
memcpy(x, b, 4);
afs_merge_fs_addr4(alist, x[0], port);
b += 4;
break;
case DNS_ADDRESS_IS_IPV6:
Reported by FlawFinder.
Line: 128
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
_leave(" = -EINVAL [short inet6]");
goto error;
}
memcpy(x, b, 16);
afs_merge_fs_addr6(alist, x, port);
b += 16;
break;
default:
Reported by FlawFinder.
fs/lockd/svcxdr.h
3 issues
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!p)
return false;
cookie->len = len;
memcpy(cookie->data, p, len);
return true;
/* apparently HPUX can return empty cookies */
out_hpux:
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_reserve_space(xdr, cookie->len);
if (!p)
return false;
memcpy(p, cookie->data, cookie->len);
return true;
}
static inline bool
Reported by FlawFinder.
Line: 146
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!p)
return false;
p[quadlen - 1] = 0; /* XDR pad */
memcpy(p, obj->data, obj->len);
return true;
}
#endif /* _LOCKD_SVCXDR_H_ */
Reported by FlawFinder.
include/linux/cpufreq.h
3 issues
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int last_policy; /* policy before unplug */
struct cpufreq_governor *governor; /* see below */
void *governor_data;
char last_governor[CPUFREQ_NAME_LEN]; /* last governor used */
struct work_struct update; /* if update_policy() needs to be
* called, but you're in IRQ context */
struct freq_constraints constraints;
Reported by FlawFinder.
Line: 305
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cpufreq_driver {
char name[CPUFREQ_NAME_LEN];
u16 flags;
void *driver_data;
/* needed by all drivers */
int (*init)(struct cpufreq_policy *policy);
Reported by FlawFinder.
Line: 557
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define LATENCY_MULTIPLIER (1000)
struct cpufreq_governor {
char name[CPUFREQ_NAME_LEN];
int (*init)(struct cpufreq_policy *policy);
void (*exit)(struct cpufreq_policy *policy);
int (*start)(struct cpufreq_policy *policy);
void (*stop)(struct cpufreq_policy *policy);
void (*limits)(struct cpufreq_policy *policy);
Reported by FlawFinder.
fs/pipe.c
3 issues
Line: 1280
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int h = head & mask;
unsigned int t = tail & mask;
if (h > t) {
memcpy(bufs, pipe->bufs + t,
n * sizeof(struct pipe_buffer));
} else {
unsigned int tsize = pipe->ring_size - t;
if (h > 0)
memcpy(bufs + tsize, pipe->bufs,
Reported by FlawFinder.
Line: 1285
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
unsigned int tsize = pipe->ring_size - t;
if (h > 0)
memcpy(bufs + tsize, pipe->bufs,
h * sizeof(struct pipe_buffer));
memcpy(bufs, pipe->bufs + t,
tsize * sizeof(struct pipe_buffer));
}
}
Reported by FlawFinder.
Line: 1287
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (h > 0)
memcpy(bufs + tsize, pipe->bufs,
h * sizeof(struct pipe_buffer));
memcpy(bufs, pipe->bufs + t,
tsize * sizeof(struct pipe_buffer));
}
}
head = n;
Reported by FlawFinder.
fs/overlayfs/super.c
3 issues
Line: 1392
Column: 11
CWE codes:
377
/* Check if upper/work fs supports O_TMPFILE */
temp = ovl_do_tmpfile(ofs->workdir, S_IFREG | 0);
ofs->tmpfile = !IS_ERR(temp);
if (ofs->tmpfile)
dput(temp);
else
pr_warn("upper fs does not support tmpfile.\n");
Reported by FlawFinder.
Line: 764
Column: 48
CWE codes:
126
inode_lock_nested(dir, I_MUTEX_PARENT);
retry:
work = lookup_one_len(name, ofs->workbasedir, strlen(name));
if (!IS_ERR(work)) {
struct iattr attr = {
.ia_valid = ATTR_MODE,
.ia_mode = S_IFDIR | 0,
Reported by FlawFinder.
Line: 1314
Column: 15
CWE codes:
126
static struct dentry *ovl_lookup_or_create(struct dentry *parent,
const char *name, umode_t mode)
{
size_t len = strlen(name);
struct dentry *child;
inode_lock_nested(parent->d_inode, I_MUTEX_PARENT);
child = lookup_one_len(name, parent, len);
if (!IS_ERR(child) && !child->d_inode)
Reported by FlawFinder.