The following issues were found
drivers/misc/mei/mei_dev.h
3 issues
Line: 537
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dev_pm_domain pg_domain;
#endif /* CONFIG_PM */
unsigned char rd_msg_buf[MEI_RD_MSG_BUF_SIZE];
u32 rd_msg_hdr[MEI_RD_MSG_BUF_SIZE];
int rd_msg_hdr_count;
/* write buffer */
bool hbuf_is_ready;
Reported by FlawFinder.
Line: 352
Column: 8
CWE codes:
120
20
int (*rdbuf_full_slots)(struct mei_device *dev);
u32 (*read_hdr)(const struct mei_device *dev);
int (*read)(struct mei_device *dev,
unsigned char *buf, unsigned long len);
};
/* MEI bus API*/
void mei_cl_bus_rescan_work(struct work_struct *work);
Reported by FlawFinder.
Line: 758
Column: 12
CWE codes:
120
20
static inline void mei_read_slots(struct mei_device *dev,
unsigned char *buf, unsigned long len)
{
dev->ops->read(dev, buf, len);
}
static inline int mei_count_full_read_slots(struct mei_device *dev)
{
return dev->ops->rdbuf_full_slots(dev);
Reported by FlawFinder.
drivers/misc/pci_endpoint_test.c
3 issues
Line: 846
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
goto err_iounmap;
}
snprintf(name, sizeof(name), DRV_MODULE_NAME ".%d", id);
test->name = kstrdup(name, GFP_KERNEL);
if (!test->name) {
err = -ENOMEM;
goto err_ida_remove;
}
Reported by FlawFinder.
Line: 910
Column: 6
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
struct pci_endpoint_test *test = pci_get_drvdata(pdev);
struct miscdevice *misc_device = &test->miscdev;
if (sscanf(misc_device->name, DRV_MODULE_NAME ".%d", &id) != 1)
return;
if (id < 0)
return;
misc_deregister(&test->miscdev);
Reported by FlawFinder.
Line: 758
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int err;
int id;
char name[24];
enum pci_barno bar;
void __iomem *base;
struct device *dev = &pdev->dev;
struct pci_endpoint_test *test;
struct pci_endpoint_test_data *data;
Reported by FlawFinder.
drivers/misc/sgi-gru/grumain.c
3 issues
Line: 459
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline long gru_copy_handle(void *d, void *s)
{
memcpy(d, s, GRU_HANDLE_BYTES);
return GRU_HANDLE_BYTES;
}
static void gru_prefetch_context(void *gseg, void *cb, void *cbe,
unsigned long cbrmap, unsigned long length)
Reported by FlawFinder.
Line: 510
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (data_valid)
memcpy(gseg + GRU_DS_BASE, save, length);
else
memset(gseg + GRU_DS_BASE, 0, length);
}
static void gru_unload_context_data(void *save, void *grubase, int ctxnum,
Reported by FlawFinder.
Line: 539
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
save += gru_copy_handle(save, cbe + i * GRU_HANDLE_STRIDE);
cb += GRU_HANDLE_STRIDE;
}
memcpy(save, gseg + GRU_DS_BASE, length);
}
void gru_unload_context(struct gru_thread_state *gts, int savestate)
{
struct gru_state *gru = gts->ts_gru;
Reported by FlawFinder.
drivers/misc/tsl2550.c
3 issues
Line: 180
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct tsl2550_data *data = i2c_get_clientdata(to_i2c_client(dev));
return sprintf(buf, "%u\n", data->power_state);
}
static ssize_t tsl2550_store_power_state(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 212
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct tsl2550_data *data = i2c_get_clientdata(to_i2c_client(dev));
return sprintf(buf, "%u\n", data->operating_mode);
}
static ssize_t tsl2550_store_operating_mode(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 265
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (data->operating_mode == 1)
ret *= 5;
return sprintf(buf, "%d\n", ret);
}
static ssize_t tsl2550_show_lux1_input(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
drivers/mmc/host/cqhci-crypto.c
3 issues
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ccap_array[cap_idx].algorithm_id == CQHCI_CRYPTO_ALG_AES_XTS) {
/* In XTS mode, the blk_crypto_key's size is already doubled */
memcpy(cfg.crypto_key, key->raw, key->size/2);
memcpy(cfg.crypto_key + CQHCI_CRYPTO_KEY_MAX_SIZE/2,
key->raw + key->size/2, key->size/2);
} else {
memcpy(cfg.crypto_key, key->raw, key->size);
}
Reported by FlawFinder.
Line: 95
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ccap_array[cap_idx].algorithm_id == CQHCI_CRYPTO_ALG_AES_XTS) {
/* In XTS mode, the blk_crypto_key's size is already doubled */
memcpy(cfg.crypto_key, key->raw, key->size/2);
memcpy(cfg.crypto_key + CQHCI_CRYPTO_KEY_MAX_SIZE/2,
key->raw + key->size/2, key->size/2);
} else {
memcpy(cfg.crypto_key, key->raw, key->size);
}
Reported by FlawFinder.
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cfg.crypto_key + CQHCI_CRYPTO_KEY_MAX_SIZE/2,
key->raw + key->size/2, key->size/2);
} else {
memcpy(cfg.crypto_key, key->raw, key->size);
}
err = cqhci_crypto_program_key(cq_host, &cfg, slot);
memzero_explicit(&cfg, sizeof(cfg));
Reported by FlawFinder.
drivers/mmc/host/tmio_mmc_core.c
3 issues
Line: 351
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_read) {
sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, &data, 1);
memcpy(buf32, &data, count);
} else {
memcpy(&data, buf32, count);
sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, &data, 1);
}
Reported by FlawFinder.
Line: 353
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, &data, 1);
memcpy(buf32, &data, count);
} else {
memcpy(&data, buf32, count);
sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, &data, 1);
}
return;
}
Reported by FlawFinder.
Line: 432
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long flags;
void *sg_vaddr = tmio_mmc_kmap_atomic(host->sg_orig, &flags);
memcpy(sg_vaddr, host->bounce_buf, host->bounce_sg.length);
tmio_mmc_kunmap_atomic(host->sg_orig, &flags, sg_vaddr);
}
}
/* needs to be called with host->lock held */
Reported by FlawFinder.
drivers/most/most_snd.c
3 issues
Line: 111
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void alsa_to_most_memcpy(void *alsa, void *most, unsigned int bytes)
{
memcpy(most, alsa, bytes);
}
static void alsa_to_most_copy16(void *alsa, void *most, unsigned int bytes)
{
swap_copy16(most, alsa, bytes);
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void most_to_alsa_memcpy(void *alsa, void *most, unsigned int bytes)
{
memcpy(alsa, most, bytes);
}
static void most_to_alsa_copy16(void *alsa, void *most, unsigned int bytes)
{
swap_copy16(alsa, most, bytes);
Reported by FlawFinder.
Line: 524
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int direction;
u16 ch_num;
char *sample_res;
char arg_list_cpy[STRING_SIZE];
if (cfg->data_type != MOST_CH_SYNC) {
pr_err("Incompatible channel type\n");
return -EINVAL;
}
Reported by FlawFinder.
drivers/mtd/chips/cfi_cmdset_0020.c
3 issues
Line: 689
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
if (buflen) { /* cut off head */
if (buflen + elem_len < ECCBUF_SIZE) { /* just accumulate */
memcpy(buffer+buflen, elem_base, elem_len);
buflen += elem_len;
continue;
}
memcpy(buffer+buflen, elem_base, ECCBUF_SIZE-buflen);
ret = mtd_write(mtd, to, ECCBUF_SIZE, &thislen,
Reported by FlawFinder.
Line: 693
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buflen += elem_len;
continue;
}
memcpy(buffer+buflen, elem_base, ECCBUF_SIZE-buflen);
ret = mtd_write(mtd, to, ECCBUF_SIZE, &thislen,
buffer);
totlen += thislen;
if (ret || thislen != ECCBUF_SIZE)
goto write_error;
Reported by FlawFinder.
Line: 714
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buflen = ECCBUF_MOD(elem_len); /* cut off tail */
if (buflen) {
memset(buffer, 0xff, ECCBUF_SIZE);
memcpy(buffer, elem_base + thislen, buflen);
}
}
if (buflen) { /* flush last page, even if not full */
/* This is sometimes intended behaviour, really */
ret = mtd_write(mtd, to, buflen, &thislen, buffer);
Reported by FlawFinder.
drivers/mtd/devices/mchp23k256.c
3 issues
Line: 66
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mchp23k256_flash *flash = to_mchp23k256_flash(mtd);
struct spi_transfer transfer[2] = {};
struct spi_message message;
unsigned char command[MAX_CMD_SIZE];
int ret, cmd_len;
spi_message_init(&message);
cmd_len = mchp23k256_cmdsz(flash);
Reported by FlawFinder.
Line: 105
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mchp23k256_flash *flash = to_mchp23k256_flash(mtd);
struct spi_transfer transfer[2] = {};
struct spi_message message;
unsigned char command[MAX_CMD_SIZE];
int ret, cmd_len;
spi_message_init(&message);
cmd_len = mchp23k256_cmdsz(flash);
Reported by FlawFinder.
Line: 147
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct spi_transfer transfer = {};
struct spi_message message;
unsigned char command[2];
spi_message_init(&message);
command[0] = MCHP23K256_CMD_WRITE_STATUS;
command[1] = MCHP23K256_MODE_SEQ;
Reported by FlawFinder.
drivers/mtd/devices/slram.c
3 issues
Line: 66
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} slram_mtd_list_t;
#ifdef MODULE
static char *map[SLRAM_MAX_DEVICES_PARAMS];
module_param_array(map, charp, NULL, 0);
MODULE_PARM_DESC(map, "List of memory regions to map. \"map=<name>, <start>, <length / end>\"");
#else
static char *map;
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
slram_priv_t *priv = mtd->priv;
memcpy(buf, priv->start + from, len);
*retlen = len;
return(0);
}
static int slram_write(struct mtd_info *mtd, loff_t to, size_t len,
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
slram_priv_t *priv = mtd->priv;
memcpy(priv->start + to, buf, len);
*retlen = len;
return(0);
}
/*====================================================================*/
Reported by FlawFinder.