The following issues were found
fs/afs/internal.h
3 issues
Line: 683
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
*/
struct afs_permit {
struct key *key; /* RxRPC ticket holding a security context */
afs_access_t access; /* CallerAccess value for this key */
};
/*
* Immutable cache of CallerAccess records from attempts to access vnodes.
* These may be shared between multiple vnodes.
Reported by FlawFinder.
Line: 247
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct afs_sysnames {
#define AFS_NR_SYSNAME 16
char *subs[AFS_NR_SYSNAME];
refcount_t usage;
unsigned short nr;
char blank[1];
};
Reported by FlawFinder.
Line: 250
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *subs[AFS_NR_SYSNAME];
refcount_t usage;
unsigned short nr;
char blank[1];
};
/*
* AFS network namespace record.
*/
Reported by FlawFinder.
include/linux/cpuidle.h
3 issues
Line: 49
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct cpuidle_state {
char name[CPUIDLE_NAME_LEN];
char desc[CPUIDLE_DESC_LEN];
s64 exit_latency_ns;
s64 target_residency_ns;
unsigned int flags;
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cpuidle_state {
char name[CPUIDLE_NAME_LEN];
char desc[CPUIDLE_DESC_LEN];
s64 exit_latency_ns;
s64 target_residency_ns;
unsigned int flags;
unsigned int exit_latency; /* in US */
Reported by FlawFinder.
Line: 259
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
******************************/
struct cpuidle_governor {
char name[CPUIDLE_NAME_LEN];
struct list_head governor_list;
unsigned int rating;
int (*enable) (struct cpuidle_driver *drv,
struct cpuidle_device *dev);
Reported by FlawFinder.
drivers/video/fbdev/sm501fb.c
3 issues
Line: 1965
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Get EDID */
cp = of_get_property(np, "mode", &len);
if (cp)
strcpy(fb_mode, cp);
prop = of_get_property(np, "edid", &len);
if (prop && len == EDID_LENGTH) {
info->edid_data = kmemdup(prop, EDID_LENGTH,
GFP_KERNEL);
if (info->edid_data)
Reported by FlawFinder.
Line: 1230
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
unsigned int reg;
for (reg = start; reg < (len + start); reg += 4)
ptr += sprintf(ptr, "%08x = %08x\n", reg,
smc501_readl(mem + reg));
return ptr - buf;
}
Reported by FlawFinder.
Line: 1724
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strlcpy(fb->fix.id, fbname, sizeof(fb->fix.id));
memcpy(&par->ops,
(head == HEAD_CRT) ? &sm501fb_ops_crt : &sm501fb_ops_pnl,
sizeof(struct fb_ops));
/* update ops dependent on what we've been passed */
Reported by FlawFinder.
include/linux/edac.h
3 issues
Line: 372
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dimm_info {
struct device dev;
char label[EDAC_MC_LABEL_LEN + 1]; /* DIMM label on motherboard */
/* Memory location data */
unsigned int location[EDAC_MAX_LAYERS];
struct mem_ctl_info *mci; /* the parent */
Reported by FlawFinder.
Line: 466
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @other_detail: other driver-specific detail about the error
*/
struct edac_raw_error_desc {
char location[LOCATION_SIZE];
char label[(EDAC_MC_LABEL_LEN + 1 + sizeof(OTHER_LABEL)) * EDAC_MAX_LABELS];
long grain;
u16 error_count;
enum hw_event_mc_err_type type;
Reported by FlawFinder.
Line: 467
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct edac_raw_error_desc {
char location[LOCATION_SIZE];
char label[(EDAC_MC_LABEL_LEN + 1 + sizeof(OTHER_LABEL)) * EDAC_MAX_LABELS];
long grain;
u16 error_count;
enum hw_event_mc_err_type type;
int top_layer;
Reported by FlawFinder.
fs/ocfs2/dlmfs/userdlm.c
3 issues
Line: 543
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(lockres->l_level < DLM_LOCK_EX);
lvb = ocfs2_dlm_lvb(&lockres->l_lksb);
memcpy(lvb, val, len);
spin_unlock(&lockres->l_lock);
}
bool user_dlm_read_lvb(struct inode *inode, char *val)
Reported by FlawFinder.
Line: 559
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(lockres->l_level < DLM_LOCK_PR);
if (ocfs2_dlm_lvb_valid(&lockres->l_lksb)) {
lvb = ocfs2_dlm_lvb(&lockres->l_lksb);
memcpy(val, lvb, DLM_LVB_LEN);
} else
ret = false;
spin_unlock(&lockres->l_lock);
return ret;
Reported by FlawFinder.
Line: 581
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* should have been checked before getting here. */
BUG_ON(dentry->d_name.len >= USER_DLM_LOCK_ID_MAX_LEN);
memcpy(lockres->l_name,
dentry->d_name.name,
dentry->d_name.len);
lockres->l_namelen = dentry->d_name.len;
}
Reported by FlawFinder.
include/linux/efi.h
3 issues
Line: 387
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct {
efi_guid_t guid;
unsigned long *ptr;
const char name[16];
} efi_config_table_type_t;
#define EFI_SYSTEM_TABLE_SIGNATURE ((u64)0x5453595320494249ULL)
#define EFI_2_30_SYSTEM_TABLE_REVISION ((2 << 16) | (30))
Reported by FlawFinder.
Line: 603
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static inline char *
efi_guid_to_str(efi_guid_t *guid, char *out)
{
sprintf(out, "%pUl", guid->b);
return out;
}
extern void efi_init (void);
#ifdef CONFIG_EFI
Reported by FlawFinder.
Line: 1261
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* name and 0 data size.
*/
struct efi_mokvar_table_entry {
char name[256];
u64 data_size;
u8 data[];
} __attribute((packed));
#ifdef CONFIG_LOAD_UEFI_KEYS
Reported by FlawFinder.
fs/overlayfs/export.c
3 issues
Line: 655
CWE codes:
476
{
struct ovl_fs *ofs = sb->s_fs_info;
const struct ovl_layer *layer = upper ? &ofs->layers[0] : lowerpath->layer;
struct dentry *real = upper ?: (index ?: lowerpath->dentry);
/*
* Obtain a disconnected overlay dentry from a non-dir real dentry
* and index.
*/
Reported by Cppcheck.
Line: 237
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = OVL_FH_LEN(fh);
if (len <= buflen)
memcpy(fid, fh, len);
err = len;
out:
kfree(fh);
return err;
Reported by FlawFinder.
Line: 794
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-ENOMEM);
/* Copy unaligned inner fh into aligned buffer */
memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET);
return fh;
}
static struct dentry *ovl_fh_to_dentry(struct super_block *sb, struct fid *fid,
int fh_len, int fh_type)
Reported by FlawFinder.
include/linux/seq_file.h
3 issues
Line: 246
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* stack buffer.
*/
#define seq_show_option_n(m, name, value, length) { \
char val_buf[length + 1]; \
strncpy(val_buf, value, length); \
val_buf[length] = '\0'; \
seq_show_option(m, name, val_buf); \
}
Reported by FlawFinder.
Line: 135
Column: 25
CWE codes:
126
static inline void seq_escape_str(struct seq_file *m, const char *src,
unsigned int flags, const char *esc)
{
seq_escape_mem(m, src, strlen(src), flags, esc);
}
void seq_escape(struct seq_file *m, const char *s, const char *esc);
void seq_hex_dump(struct seq_file *m, const char *prefix_str, int prefix_type,
Reported by FlawFinder.
Line: 247
Column: 2
CWE codes:
120
*/
#define seq_show_option_n(m, name, value, length) { \
char val_buf[length + 1]; \
strncpy(val_buf, value, length); \
val_buf[length] = '\0'; \
seq_show_option(m, name, val_buf); \
}
#define SEQ_START_TOKEN ((void *)1)
Reported by FlawFinder.
include/linux/efs_vh.h
3 issues
Line: 20
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define VDNAMESIZE 8
struct volume_directory {
char vd_name[VDNAMESIZE]; /* name */
__be32 vd_lbn; /* logical block number */
__be32 vd_nbytes; /* file length in bytes */
};
struct partition_table { /* one per logical partition */
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be32 vh_magic; /* identifies volume header */
__be16 vh_rootpt; /* root partition number */
__be16 vh_swappt; /* swap partition number */
char vh_bootfile[BFNAMESIZE]; /* name of file to boot */
char pad[48]; /* device param space */
struct volume_directory vh_vd[NVDIR]; /* other vol hdr contents */
struct partition_table vh_pt[NPARTAB]; /* device partition layout */
__be32 vh_csum; /* volume header checksum */
__be32 vh_fill; /* fill out to 512 bytes */
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be16 vh_rootpt; /* root partition number */
__be16 vh_swappt; /* swap partition number */
char vh_bootfile[BFNAMESIZE]; /* name of file to boot */
char pad[48]; /* device param space */
struct volume_directory vh_vd[NVDIR]; /* other vol hdr contents */
struct partition_table vh_pt[NPARTAB]; /* device partition layout */
__be32 vh_csum; /* volume header checksum */
__be32 vh_fill; /* fill out to 512 bytes */
};
Reported by FlawFinder.
drivers/watchdog/pcwd.c
3 issues
Line: 178
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* this is private data for each ISA-PC watchdog card */
static struct {
char fw_ver_str[6]; /* The cards firmware version */
int revision; /* The card's revision */
int supports_temp; /* Whether or not the card has
a temperature device */
int command_mode; /* Whether or not the card is in
command mode */
Reported by FlawFinder.
Line: 303
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
{
int one, ten, hund, minor;
strcpy(pcwd_private.fw_ver_str, "ERROR");
if (set_command_mode()) {
one = send_isa_command(CMD_ISA_VERSION_INTEGER);
ten = send_isa_command(CMD_ISA_VERSION_TENTH);
hund = send_isa_command(CMD_ISA_VERSION_HUNDRETH);
Reported by FlawFinder.
Line: 310
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ten = send_isa_command(CMD_ISA_VERSION_TENTH);
hund = send_isa_command(CMD_ISA_VERSION_HUNDRETH);
minor = send_isa_command(CMD_ISA_VERSION_MINOR);
sprintf(pcwd_private.fw_ver_str, "%c.%c%c%c",
one, ten, hund, minor);
}
unset_command_mode();
return;
Reported by FlawFinder.