The following issues were found
drivers/misc/apds9802als.c
3 issues
Line: 42
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (val < 0)
return val;
if (val & 1)
return sprintf(buf, "4095\n");
else
return sprintf(buf, "65535\n");
}
static int als_wait_for_data_ready(struct device *dev)
Reported by FlawFinder.
Line: 44
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (val & 1)
return sprintf(buf, "4095\n");
else
return sprintf(buf, "65535\n");
}
static int als_wait_for_data_ready(struct device *dev)
{
struct i2c_client *client = to_i2c_client(dev);
Reported by FlawFinder.
Line: 101
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pm_runtime_put_sync(dev);
temp = (ret_val << 8) | temp;
return sprintf(buf, "%d\n", temp);
failed:
mutex_unlock(&data->mutex);
pm_runtime_put_sync(dev);
return ret_val;
}
Reported by FlawFinder.
drivers/misc/cxl/of.c
3 issues
Line: 113
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int read_vpd(struct cxl *adapter, struct cxl_afu *afu)
{
char vpd[256];
int rc;
size_t len = sizeof(vpd);
memset(vpd, 0, len);
Reported by FlawFinder.
Line: 158
Column: 9
CWE codes:
126
while (i < len) {
p = (char *) prop + i;
pr_info("compatible: %s\n", p);
i += strlen(p) + 1;
}
read_prop_string(np, "name");
}
rc = read_phys_addr(np, "reg", afu);
Reported by FlawFinder.
Line: 367
Column: 9
CWE codes:
126
while (i < len) {
p = (char *) prop + i;
pr_info("compatible: %s\n", p);
i += strlen(p) + 1;
}
read_prop_string(np, "name");
read_prop_string(np, "model");
prop = of_get_property(np, "reg", NULL);
Reported by FlawFinder.
drivers/misc/eeprom/at25.c
3 issues
Line: 253
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
segment = buf_size - (offset % buf_size);
if (segment > count)
segment = count;
memcpy(cp, buf, segment);
status = spi_write(at25->spi, bounce,
segment + at25->addrlen + 1);
dev_dbg(&at25->spi->dev, "write %u bytes at %u --> %d\n",
segment, offset, status);
if (status < 0)
Reported by FlawFinder.
Line: 311
Column: 2
CWE codes:
120
u32 val;
memset(chip, 0, sizeof(*chip));
strncpy(chip->name, "at25", sizeof(chip->name));
if (device_property_read_u32(dev, "size", &val) == 0 ||
device_property_read_u32(dev, "at25,byte-len", &val) == 0) {
chip->byte_len = val;
} else {
Reported by FlawFinder.
Line: 442
Column: 3
CWE codes:
120
}
at25->chip.page_size = PAGE_SIZE;
strncpy(at25->chip.name, "fm25", sizeof(at25->chip.name));
}
/* For now we only support 8/16/24 bit addressing */
if (at25->chip.flags & EE_ADDR1)
at25->addrlen = 1;
Reported by FlawFinder.
drivers/misc/genwqe/card_ddcb.c
3 issues
Line: 335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ddcb_queue *queue = req->queue;
struct ddcb *pddcb = &queue->ddcb_vaddr[req->num];
memcpy(&req->cmd.asv[0], &pddcb->asv[0], DDCB_ASV_LENGTH);
/* copy status flags of the variant part */
req->cmd.vcrc = be16_to_cpu(pddcb->vcrc_16);
req->cmd.deque_ts = be64_to_cpu(pddcb->deque_ts_64);
req->cmd.cmplt_ts = be64_to_cpu(pddcb->cmplt_ts_64);
Reported by FlawFinder.
Line: 856
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* field very explicit.
*/
if (genwqe_get_slu_id(cd) <= 0x2) {
memcpy(&pddcb->__asiv[0], /* destination */
&req->cmd.__asiv[0], /* source */
DDCB_ASIV_LENGTH); /* req->cmd.asiv_length */
} else {
pddcb->n.ats_64 = cpu_to_be64(req->cmd.ats);
memcpy(&pddcb->n.asiv[0], /* destination */
Reported by FlawFinder.
Line: 861
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DDCB_ASIV_LENGTH); /* req->cmd.asiv_length */
} else {
pddcb->n.ats_64 = cpu_to_be64(req->cmd.ats);
memcpy(&pddcb->n.asiv[0], /* destination */
&req->cmd.asiv[0], /* source */
DDCB_ASIV_LENGTH_ATS); /* req->cmd.asiv_length */
}
pddcb->icrc_hsi_shi_32 = cpu_to_be32(0x00000000); /* for crc */
Reported by FlawFinder.
drivers/misc/habanalabs/common/habanalabs_drv.c
3 issues
Line: 321
Column: 2
CWE codes:
120
hdev->asic_prop.fw_security_enabled = false;
/* Assign status description string */
strncpy(hdev->status[HL_DEVICE_STATUS_MALFUNCTION],
"disabled", HL_STR_MAX);
strncpy(hdev->status[HL_DEVICE_STATUS_IN_RESET],
"in reset", HL_STR_MAX);
strncpy(hdev->status[HL_DEVICE_STATUS_NEEDS_RESET],
"needs reset", HL_STR_MAX);
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
120
/* Assign status description string */
strncpy(hdev->status[HL_DEVICE_STATUS_MALFUNCTION],
"disabled", HL_STR_MAX);
strncpy(hdev->status[HL_DEVICE_STATUS_IN_RESET],
"in reset", HL_STR_MAX);
strncpy(hdev->status[HL_DEVICE_STATUS_NEEDS_RESET],
"needs reset", HL_STR_MAX);
hdev->major = hl_major;
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
120
"disabled", HL_STR_MAX);
strncpy(hdev->status[HL_DEVICE_STATUS_IN_RESET],
"in reset", HL_STR_MAX);
strncpy(hdev->status[HL_DEVICE_STATUS_NEEDS_RESET],
"needs reset", HL_STR_MAX);
hdev->major = hl_major;
hdev->reset_on_lockup = reset_on_lockup;
hdev->memory_scrub = memory_scrub;
Reported by FlawFinder.
drivers/misc/habanalabs/common/habanalabs_ioctl.c
3 issues
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hw_ip.dram_page_size = prop->dram_page_size;
hw_ip.num_of_events = prop->num_of_events;
memcpy(hw_ip.cpucp_version, prop->cpucp_info.cpucp_version,
min(VERSION_MAX_LEN, HL_INFO_VERSION_MAX_LEN));
memcpy(hw_ip.card_name, prop->cpucp_info.card_name,
min(CARD_NAME_MAX_LEN, HL_INFO_CARD_NAME_MAX_LEN));
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hw_ip.cpucp_version, prop->cpucp_info.cpucp_version,
min(VERSION_MAX_LEN, HL_INFO_VERSION_MAX_LEN));
memcpy(hw_ip.card_name, prop->cpucp_info.card_name,
min(CARD_NAME_MAX_LEN, HL_INFO_CARD_NAME_MAX_LEN));
hw_ip.cpld_version = le32_to_cpu(prop->cpucp_info.cpld_version);
hw_ip.module_id = le32_to_cpu(prop->cpucp_info.card_location);
Reported by FlawFinder.
Line: 652
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hl_fpriv *hpriv = filep->private_data;
struct hl_device *hdev = hpriv->hdev;
unsigned int nr = _IOC_NR(cmd);
char stack_kdata[128] = {0};
char *kdata = NULL;
unsigned int usize, asize;
hl_ioctl_t *func;
u32 hl_size;
int retcode;
Reported by FlawFinder.
drivers/misc/ibmasm/command.c
3 issues
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline void do_exec_command(struct service_processor *sp)
{
char tsbuf[32];
dbg("%s:%d at %s\n", __func__, __LINE__, get_timestamp(tsbuf));
if (ibmasm_send_i2o_message(sp)) {
sp->current_command->status = IBMASM_CMD_FAILED;
Reported by FlawFinder.
Line: 108
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ibmasm_exec_command(struct service_processor *sp, struct command *cmd)
{
unsigned long flags;
char tsbuf[32];
dbg("%s:%d at %s\n", __func__, __LINE__, get_timestamp(tsbuf));
spin_lock_irqsave(&sp->lock, flags);
Reported by FlawFinder.
Line: 128
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void exec_next_command(struct service_processor *sp)
{
unsigned long flags;
char tsbuf[32];
dbg("%s:%d at %s\n", __func__, __LINE__, get_timestamp(tsbuf));
spin_lock_irqsave(&sp->lock, flags);
sp->current_command = dequeue_command(sp);
Reported by FlawFinder.
drivers/misc/ibmvmc.c
3 issues
Line: 1212
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ibmvmc_hmc *hmc;
struct ibmvmc_buffer *buffer;
size_t bytes;
char print_buffer[HMC_ID_LEN + 1];
unsigned long flags;
long rc = 0;
/* Reserve HMC session */
hmc = session->hmc;
Reported by FlawFinder.
Line: 1255
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
strncpy(print_buffer, hmc->hmc_id, HMC_ID_LEN);
pr_info("ibmvmc: sethmcid: Set HMC ID: \"%s\"\n", print_buffer);
memcpy(buffer->real_addr_local, hmc->hmc_id, HMC_ID_LEN);
/* RDMA over ID, send open msg, change state to ibmhmc_state_opening */
rc = ibmvmc_send_open(buffer, hmc);
return rc;
}
Reported by FlawFinder.
Line: 1252
Column: 2
CWE codes:
120
/* Make sure buffer is NULL terminated before trying to print it */
memset(print_buffer, 0, HMC_ID_LEN + 1);
strncpy(print_buffer, hmc->hmc_id, HMC_ID_LEN);
pr_info("ibmvmc: sethmcid: Set HMC ID: \"%s\"\n", print_buffer);
memcpy(buffer->real_addr_local, hmc->hmc_id, HMC_ID_LEN);
/* RDMA over ID, send open msg, change state to ibmhmc_state_opening */
rc = ibmvmc_send_open(buffer, hmc);
Reported by FlawFinder.
drivers/misc/mei/bus-fixup.c
3 issues
Line: 134
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mei_osver(struct mei_cl_device *cldev)
{
const size_t size = MKHI_OSVER_BUF_LEN;
char buf[MKHI_OSVER_BUF_LEN];
struct mkhi_msg *req;
struct mkhi_fwcaps *fwcaps;
struct mei_os_ver *os_ver;
unsigned int mode = MEI_CL_IO_TX_BLOCKING | MEI_CL_IO_TX_INTERNAL;
Reported by FlawFinder.
Line: 164
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MKHI_RCV_TIMEOUT 500 /* receive timeout in msec */
static int mei_fwver(struct mei_cl_device *cldev)
{
char buf[MKHI_FWVER_BUF_LEN];
struct mkhi_msg req;
struct mkhi_msg *rsp;
struct mkhi_fw_ver *fwver;
int bytes_recv, ret, i;
Reported by FlawFinder.
Line: 360
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
}
memcpy(ver, reply->data, sizeof(*ver));
dev_info(bus->dev, "NFC MEI VERSION: IVN 0x%x Vendor ID 0x%x Type 0x%x\n",
ver->fw_ivn, ver->vendor_id, ver->radio_type);
err:
Reported by FlawFinder.
drivers/misc/mei/hw-txe.c
3 issues
Line: 724
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
mei_txe_input_ready_interrupt_enable(dev);
if (!mei_txe_is_input_ready(dev)) {
char fw_sts_str[MEI_FW_STATUS_STR_SZ];
mei_fw_status_str(dev, fw_sts_str, MEI_FW_STATUS_STR_SZ);
dev_err(dev->dev, "Input is not ready %s\n", fw_sts_str);
return -EAGAIN;
}
Reported by FlawFinder.
Line: 743
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rem > 0) {
u32 reg = 0;
memcpy(®, (const u8 *)data + data_len - rem, rem);
mei_txe_input_payload_write(dev, i + j, reg);
}
/* after each write the whole buffer is consumed */
hw->slots = 0;
Reported by FlawFinder.
Line: 843
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rem) {
reg = mei_txe_out_data_read(dev, i + 1);
memcpy(reg_buf, ®, rem);
}
mei_txe_output_ready_set(hw);
return 0;
}
Reported by FlawFinder.