The following issues were found
drivers/mtd/maps/physmap-bt1-rom.c
3 issues
Line: 82
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (shift) {
chunk = min_t(ssize_t, 4 - shift, len);
data = readl_relaxed(src - shift);
memcpy(to, (char *)&data + shift, chunk);
src += chunk;
to += chunk;
len -= chunk;
}
Reported by FlawFinder.
Line: 90
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (len >= 4) {
data = readl_relaxed(src);
memcpy(to, &data, 4);
src += 4;
to += 4;
len -= 4;
}
Reported by FlawFinder.
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len) {
data = readl_relaxed(src);
memcpy(to, &data, len);
}
}
int of_flash_probe_bt1_rom(struct platform_device *pdev,
struct device_node *np,
Reported by FlawFinder.
drivers/mtd/maps/sa1100-flash.c
3 issues
Line: 199
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
subdev->map.name = subdev->name;
sprintf(subdev->name, "%s-%d", plat->name, i);
subdev->plat = plat;
ret = sa1100_probe_subdev(subdev, res);
if (ret)
break;
Reported by FlawFinder.
Line: 221
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* otherwise fail. Either way, it'll be called "sa1100".
*/
if (info->num_subdev == 1) {
strcpy(info->subdev[0].name, plat->name);
info->mtd = info->subdev[0].mtd;
ret = 0;
} else if (info->num_subdev > 1) {
struct mtd_info **cdev;
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <asm/mach/flash.h>
struct sa_subdev_info {
char name[16];
struct map_info map;
struct mtd_info *mtd;
struct flash_platform_data *plat;
};
Reported by FlawFinder.
drivers/mtd/nand/ecc-sw-hamming.c
3 issues
Line: 31
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* the array element is 1, and when the number of bits is odd
* the array eleemnt is 0.
*/
static const char invparity[256] = {
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
Reported by FlawFinder.
Line: 55
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* this is only used for testing and repairing parity
* (a precalculated value slightly improves performance)
*/
static const char bitsperbyte[256] = {
0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4,
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
Reported by FlawFinder.
Line: 80
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* this is only used for repairing parity
* see the comments in nand_ecc_sw_hamming_correct for more details
*/
static const char addressbits[256] = {
0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01,
0x02, 0x02, 0x03, 0x03, 0x02, 0x02, 0x03, 0x03,
0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01,
0x02, 0x02, 0x03, 0x03, 0x02, 0x02, 0x03, 0x03,
0x04, 0x04, 0x05, 0x05, 0x04, 0x04, 0x05, 0x05,
Reported by FlawFinder.
drivers/mtd/nand/onenand/onenand_omap2.c
3 issues
Line: 385
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xtra = count & 3;
if (xtra) {
count -= xtra;
memcpy(buf + count, this->base + bram_offset + count, xtra);
}
dma_dst = dma_map_single(dev, buf, count, DMA_FROM_DEVICE);
dma_src = c->phys_base + bram_offset;
Reported by FlawFinder.
Line: 404
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(dev, "timeout waiting for DMA\n");
out_copy:
memcpy(buf, this->base + bram_offset, count);
return 0;
}
static int omap2_onenand_write_bufferram(struct mtd_info *mtd, int area,
const unsigned char *buffer,
Reported by FlawFinder.
Line: 444
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(dev, "timeout waiting for DMA\n");
out_copy:
memcpy(this->base + bram_offset, buf, count);
return 0;
}
static void omap2_onenand_shutdown(struct platform_device *pdev)
{
Reported by FlawFinder.
drivers/mtd/nand/onenand/onenand_samsung.c
3 issues
Line: 501
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char *p;
p = s3c_get_bufferram(mtd, area);
memcpy(buffer, p + offset, count);
return 0;
}
static int onenand_write_bufferram(struct mtd_info *mtd, int area,
const unsigned char *buffer, int offset,
Reported by FlawFinder.
Line: 512
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char *p;
p = s3c_get_bufferram(mtd, area);
memcpy(p + offset, buffer, count);
return 0;
}
static int (*s5pc110_dma_ops)(dma_addr_t dst, dma_addr_t src, size_t count, int direction);
Reported by FlawFinder.
Line: 680
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (count != mtd->writesize) {
/* Copy the bufferram to memory to prevent unaligned access */
memcpy_fromio(this->page_buf, p, mtd->writesize);
memcpy(buffer, this->page_buf + offset, count);
} else {
memcpy_fromio(buffer, p, count);
}
return 0;
Reported by FlawFinder.
drivers/mtd/nand/raw/nandsim.c
3 issues
Line: 1464
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ns->regs.row, ns->regs.column + ns->regs.off);
if (ns_do_read_error(ns, num))
return;
memcpy(ns->buf.byte, NS_PAGE_BYTE_OFF(ns), num);
ns_do_bit_flips(ns, num);
}
}
/*
Reported by FlawFinder.
Line: 2112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(ns->buf.byte + ns->regs.count, buf, len);
ns->regs.count += len;
if (ns->regs.count == ns->regs.num) {
NS_DBG("write_buf: %d bytes were written\n", ns->regs.count);
}
Reported by FlawFinder.
Line: 2155
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(buf, ns->buf.byte + ns->regs.count, len);
ns->regs.count += len;
if (ns->regs.count == ns->regs.num) {
if (NS_STATE(ns->nxstate) == STATE_READY)
ns_switch_state(ns);
Reported by FlawFinder.
drivers/mtd/nftlcore.c
3 issues
Line: 235
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mtd_info *mtd = nftl->mbd.mtd;
u16 BlockMap[MAX_SECTORS_PER_UNIT];
unsigned char BlockLastState[MAX_SECTORS_PER_UNIT];
unsigned char BlockFreeFound[MAX_SECTORS_PER_UNIT];
unsigned int thisEUN;
int block;
int silly;
unsigned int targetEUN;
Reported by FlawFinder.
Line: 236
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mtd_info *mtd = nftl->mbd.mtd;
u16 BlockMap[MAX_SECTORS_PER_UNIT];
unsigned char BlockLastState[MAX_SECTORS_PER_UNIT];
unsigned char BlockFreeFound[MAX_SECTORS_PER_UNIT];
unsigned int thisEUN;
int block;
int silly;
unsigned int targetEUN;
struct nftl_oob oob;
Reported by FlawFinder.
Line: 392
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
pr_debug("Folding chain %d into unit %d\n", thisVUC, targetEUN);
for (block = 0; block < nftl->EraseSize / 512 ; block++) {
unsigned char movebuf[512];
int ret;
/* If it's in the target EUN already, or if it's pending write, do nothing */
if (BlockMap[block] == targetEUN ||
(pendingblock == (thisVUC * (nftl->EraseSize / 512) + block))) {
Reported by FlawFinder.
drivers/mtd/tests/mtd_test.c
3 issues
Line: 81
Column: 9
CWE codes:
120
20
int mtdtest_read(struct mtd_info *mtd, loff_t addr, size_t size, void *buf)
{
size_t read;
int err;
err = mtd_read(mtd, addr, size, &read, buf);
/* Ignore corrected ECC errors */
if (mtd_is_bitflip(err))
Reported by FlawFinder.
Line: 84
Column: 35
CWE codes:
120
20
size_t read;
int err;
err = mtd_read(mtd, addr, size, &read, buf);
/* Ignore corrected ECC errors */
if (mtd_is_bitflip(err))
err = 0;
if (!err && read != size)
err = -EIO;
Reported by FlawFinder.
Line: 88
Column: 14
CWE codes:
120
20
/* Ignore corrected ECC errors */
if (mtd_is_bitflip(err))
err = 0;
if (!err && read != size)
err = -EIO;
if (err)
pr_err("error: read failed at %#llx\n", addr);
return err;
Reported by FlawFinder.
drivers/mtd/tests/nandbiterrs.c
3 issues
Line: 140
Column: 47
CWE codes:
120
20
/* Saving last mtd stats */
memcpy(&oldstats, &mtd->ecc_stats, sizeof(oldstats));
err = mtd_read(mtd, offset, mtd->writesize, &read, rbuffer);
if (!err || err == -EUCLEAN)
err = mtd->ecc_stats.corrected - oldstats.corrected;
if (err < 0 || read != mtd->writesize) {
pr_err("error: read failed at %#llx\n", (long long)offset);
Reported by FlawFinder.
Line: 144
Column: 17
CWE codes:
120
20
if (!err || err == -EUCLEAN)
err = mtd->ecc_stats.corrected - oldstats.corrected;
if (err < 0 || read != mtd->writesize) {
pr_err("error: read failed at %#llx\n", (long long)offset);
if (err >= 0)
err = -EIO;
}
Reported by FlawFinder.
drivers/mtd/tests/pagetest.c
3 issues
Line: 99
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = mtdtest_read(mtd, addr, bufsize, twopages);
if (err)
return err;
memcpy(boundary, writebuf + mtd->erasesize - pgsize, pgsize);
prandom_bytes_state(&rnd_state, boundary + pgsize, pgsize);
if (memcmp(twopages, boundary, bufsize)) {
pr_err("error: verify failed at %#llx\n",
(long long)addr);
errcnt += 1;
Reported by FlawFinder.
Line: 214
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pr_info("writing 1st page of block %d\n", ebnum);
prandom_bytes_state(&rnd_state, writebuf, pgsize);
strcpy(writebuf, "There is no data like this!");
err = mtdtest_write(mtd, addr0, pgsize, writebuf);
if (err)
return err;
pr_info("reading 1st page of block %d\n", ebnum);
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pr_info("writing 1st page of block %d\n", ebnum);
prandom_bytes_state(&rnd_state, writebuf, pgsize);
strcpy(writebuf, "There is no data like this!");
err = mtdtest_write(mtd, addr0, pgsize, writebuf);
if (err)
return err;
pr_info("erasing block %d\n", ebnum2);
Reported by FlawFinder.