The following issues were found
include/linux/min_heap.h
3 issues
Line: 89
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Place last element at the root (position 0) and then sift down. */
heap->nr--;
memcpy(data, data + (heap->nr * func->elem_size), func->elem_size);
min_heapify(heap, 0, func);
}
/*
* Remove the minimum element and then push the given element. The
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const void *element,
const struct min_heap_callbacks *func)
{
memcpy(heap->data, element, func->elem_size);
min_heapify(heap, 0, func);
}
/* Push an element on to the heap, O(log2(nr)). */
static __always_inline
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Place at the end of data. */
pos = heap->nr;
memcpy(data + (pos * func->elem_size), element, func->elem_size);
heap->nr++;
/* Sift child at pos up. */
for (; pos > 0; pos = (pos - 1) / 2) {
child = data + (pos * func->elem_size);
Reported by FlawFinder.
fs/udf/symlink.c
3 issues
Line: 66
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 3:
if (tolen < 3)
return -ENAMETOOLONG;
memcpy(p, "../", 3);
p += 3;
tolen -= 3;
break;
case 4:
if (tolen < 2)
Reported by FlawFinder.
Line: 73
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 4:
if (tolen < 2)
return -ENAMETOOLONG;
memcpy(p, "./", 2);
p += 2;
tolen -= 2;
/* that would be . - just ignore */
break;
case 5:
Reported by FlawFinder.
Line: 176
Column: 15
CWE codes:
126
* let's report the length of string returned by readlink(2) for
* st_size.
*/
stat->size = strlen(page_address(page));
put_page(page);
return 0;
}
Reported by FlawFinder.
fs/ufs/dir.c
3 issues
Line: 389
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ufs_set_de_namlen(sb, de, namelen);
memcpy(de->d_name, name, namelen + 1);
de->d_ino = cpu_to_fs32(sb, inode->i_ino);
ufs_set_de_type(sb, de, inode->i_mode);
err = ufs_commit_chunk(page, pos, rec_len);
dir->i_mtime = dir->i_ctime = current_time(dir);
Reported by FlawFinder.
Line: 579
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ufs_set_de_type(sb, de, dir->i_mode);
de->d_reclen = cpu_to_fs16(sb, chunk_size - UFS_DIR_REC_LEN(1));
ufs_set_de_namlen(sb, de, 2);
strcpy (de->d_name, "..");
kunmap(page);
err = ufs_commit_chunk(page, 0, chunk_size);
fail:
put_page(page);
Reported by FlawFinder.
Line: 572
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ufs_set_de_type(sb, de, inode->i_mode);
ufs_set_de_namlen(sb, de, 1);
de->d_reclen = cpu_to_fs16(sb, UFS_DIR_REC_LEN(1));
strcpy (de->d_name, ".");
de = (struct ufs_dir_entry *)
((char *)de + fs16_to_cpu(sb, de->d_reclen));
de->d_ino = cpu_to_fs32(sb, dir->i_ino);
ufs_set_de_type(sb, de, dir->i_mode);
de->d_reclen = cpu_to_fs16(sb, chunk_size - UFS_DIR_REC_LEN(1));
Reported by FlawFinder.
include/linux/highmem.h
3 issues
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *src = kmap_local_page(src_page);
VM_BUG_ON(dst_off + len > PAGE_SIZE || src_off + len > PAGE_SIZE);
memcpy(dst + dst_off, src + src_off, len);
kunmap_local(src);
kunmap_local(dst);
}
static inline void memmove_page(struct page *dst_page, size_t dst_off,
Reported by FlawFinder.
Line: 310
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *from = kmap_local_page(page);
VM_BUG_ON(offset + len > PAGE_SIZE);
memcpy(to, from + offset, len);
kunmap_local(from);
}
static inline void memcpy_to_page(struct page *page, size_t offset,
const char *from, size_t len)
Reported by FlawFinder.
Line: 320
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *to = kmap_local_page(page);
VM_BUG_ON(offset + len > PAGE_SIZE);
memcpy(to + offset, from, len);
flush_dcache_page(page);
kunmap_local(to);
}
static inline void memzero_page(struct page *page, size_t offset, size_t len)
Reported by FlawFinder.
fs/f2fs/checkpoint.c
3 issues
Line: 933
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cp_block = (struct f2fs_checkpoint *)page_address(cur_page);
memcpy(sbi->ckpt, cp_block, blk_size);
if (cur_page == cp1)
sbi->cur_cp_pack = 1;
else
sbi->cur_cp_pack = 2;
Reported by FlawFinder.
Line: 963
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto free_fail_no_cp;
}
sit_bitmap_ptr = page_address(cur_page);
memcpy(ckpt + i * blk_size, sit_bitmap_ptr, blk_size);
f2fs_put_page(cur_page, 1);
}
done:
f2fs_put_page(cp1, 1);
f2fs_put_page(cp2, 1);
Reported by FlawFinder.
Line: 1369
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
f2fs_wait_on_page_writeback(page, META, true, true);
memcpy(page_address(page), src, PAGE_SIZE);
set_page_dirty(page);
if (unlikely(!clear_page_dirty_for_io(page)))
f2fs_bug_on(sbi, 1);
Reported by FlawFinder.
fs/fscache/cache.c
3 issues
Line: 47
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return ERR_PTR(-ENOMEM);
atomic_set(&xtag->usage, 1);
strcpy(xtag->name, name);
/* write lock, search again and add if still not present */
down_write(&fscache_addremove_sem);
list_for_each_entry(tag, &fscache_cache_tag_list, link) {
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
cache->ops = ops;
va_start(va, idfmt);
vsnprintf(cache->identifier, sizeof(cache->identifier), idfmt, va);
va_end(va);
INIT_WORK(&cache->op_gc, fscache_operation_gc);
INIT_LIST_HEAD(&cache->link);
INIT_LIST_HEAD(&cache->object_list);
Reported by FlawFinder.
Line: 41
Column: 33
CWE codes:
126
up_read(&fscache_addremove_sem);
/* the tag does not exist - create a candidate */
xtag = kzalloc(sizeof(*xtag) + strlen(name) + 1, GFP_KERNEL);
if (!xtag)
/* return a dummy tag if out of memory */
return ERR_PTR(-ENOMEM);
atomic_set(&xtag->usage, 1);
Reported by FlawFinder.
drivers/xen/xen-pciback/conf_space.h
3 issues
fs/ubifs/ubifs.h
3 issues
Line: 1265
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t cnt_lock;
int fmt_version;
int ro_compat_version;
unsigned char uuid[16];
int lhead_lnum;
int lhead_offs;
int ltail_lnum;
struct mutex log_mutex;
Reported by FlawFinder.
Line: 1403
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int no_orphs;
struct task_struct *bgt;
char bgt_name[sizeof(BGT_NAME_PATTERN) + 9];
int need_bgt;
int need_wbuf_sync;
int gc_lnum;
void *sbuf;
Reported by FlawFinder.
Line: 1645
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *to)
{
if (ubifs_authenticated(c))
memcpy(to, from, c->hash_len);
}
int __ubifs_node_insert_hmac(const struct ubifs_info *c, void *buf,
int len, int ofs_hmac);
static inline int ubifs_node_insert_hmac(const struct ubifs_info *c, void *buf,
Reported by FlawFinder.
fs/nfsd/flexfilelayoutxdr.c
3 issues
Line: 14
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NFSDDBG_FACILITY NFSDDBG_PNFS
struct ff_idmap {
char buf[11];
int len;
};
__be32
nfsd4_ff_encode_layoutget(struct xdr_stream *xdr,
Reported by FlawFinder.
Line: 35
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fh_len = 4 + fl->fh.size;
uid.len = sprintf(uid.buf, "%u", from_kuid(&init_user_ns, fl->uid));
gid.len = sprintf(gid.buf, "%u", from_kgid(&init_user_ns, fl->gid));
/* 8 + len for recording the length, name, and padding */
ds_len = 20 + sizeof(stateid_opaque_t) + 4 + fh_len +
8 + uid.len + 8 + gid.len;
Reported by FlawFinder.
Line: 36
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fh_len = 4 + fl->fh.size;
uid.len = sprintf(uid.buf, "%u", from_kuid(&init_user_ns, fl->uid));
gid.len = sprintf(gid.buf, "%u", from_kgid(&init_user_ns, fl->gid));
/* 8 + len for recording the length, name, and padding */
ds_len = 20 + sizeof(stateid_opaque_t) + 4 + fh_len +
8 + uid.len + 8 + gid.len;
Reported by FlawFinder.
drivers/virtio/virtio_mem.c
3 issues
Line: 390
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&vm->hotplug_mutex);
if (vm->bbm.bb_states)
memcpy(new_array, vm->bbm.bb_states, old_pages * PAGE_SIZE);
vfree(vm->bbm.bb_states);
vm->bbm.bb_states = new_array;
mutex_unlock(&vm->hotplug_mutex);
return 0;
Reported by FlawFinder.
Line: 456
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&vm->hotplug_mutex);
if (vm->sbm.mb_states)
memcpy(new_array, vm->sbm.mb_states, old_pages * PAGE_SIZE);
vfree(vm->sbm.mb_states);
vm->sbm.mb_states = new_array;
mutex_unlock(&vm->hotplug_mutex);
return 0;
Reported by FlawFinder.
Line: 579
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&vm->hotplug_mutex);
if (new_bitmap)
memcpy(new_bitmap, vm->sbm.sb_states, old_pages * PAGE_SIZE);
old_bitmap = vm->sbm.sb_states;
vm->sbm.sb_states = new_bitmap;
mutex_unlock(&vm->hotplug_mutex);
Reported by FlawFinder.