The following issues were found
lib/decompress_bunzip2.c
3 issues
Line: 106
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Intermediate buffer and its size (in bytes) */
unsigned int *dbuf, dbufSize;
/* These things are a bit too big to go on the stack */
unsigned char selectors[32768]; /* nSelectors = 15 bits */
struct group_data groups[MAX_GROUPS]; /* Huffman coding tables */
int io_error; /* non-zero if we have IO error */
int byteCount[256];
unsigned char symToByte[256], mtfSymbol[256];
};
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct group_data groups[MAX_GROUPS]; /* Huffman coding tables */
int io_error; /* non-zero if we have IO error */
int byteCount[256];
unsigned char symToByte[256], mtfSymbol[256];
};
/* Return the next nnn bits of input. All reads from the compressed input
are done through this function. All reads are big endian */
Reported by FlawFinder.
Line: 235
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
RUNB) */
symCount = symTotal+2;
for (j = 0; j < groupCount; j++) {
unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
int minLen, maxLen, pp;
/* Read Huffman code lengths for each symbol. They're
stored in a way similar to mtf; record a starting
value for the first symbol, and an offset from the
previous value for everys symbol after that.
Reported by FlawFinder.
lib/globtest.c
3 issues
Line: 29
Column: 20
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
KERN_ERR "glob: \"%s\" vs. \"%s\": %s *** ERROR ***\n";
static char const msg_ok[] __initconst =
KERN_DEBUG "glob: \"%s\" vs. \"%s\": %s OK\n";
static char const mismatch[] __initconst = "mismatch";
char const *message;
if (!success)
message = msg_error;
else if (verbose)
Reported by FlawFinder.
Line: 147
Column: 8
CWE codes:
126
bool expected = *p++ & 1;
char const *pat = p;
p += strlen(p) + 1;
successes += test(pat, p, expected);
p += strlen(p) + 1;
n++;
}
Reported by FlawFinder.
Line: 149
Column: 8
CWE codes:
126
p += strlen(p) + 1;
successes += test(pat, p, expected);
p += strlen(p) + 1;
n++;
}
n -= successes;
printk(message, successes, n);
Reported by FlawFinder.
lib/raid6/algos.c
3 issues
Line: 23
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/gfp.h>
#if !RAID6_USE_EMPTY_ZERO_PAGE
/* In .bss so it's zeroed */
const char raid6_empty_zero_page[PAGE_SIZE] __attribute__((aligned(256)));
EXPORT_SYMBOL(raid6_empty_zero_page);
#endif
#endif
struct raid6_calls raid6_call;
Reported by FlawFinder.
Line: 257
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cycle = ((disks - 2) * PAGE_SIZE) / 65536;
for (i = 0; i < cycle; i++) {
memcpy(p, raid6_gfmul, 65536);
p += 65536;
}
if ((disks - 2) * PAGE_SIZE % 65536)
memcpy(p, raid6_gfmul, (disks - 2) * PAGE_SIZE % 65536);
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if ((disks - 2) * PAGE_SIZE % 65536)
memcpy(p, raid6_gfmul, (disks - 2) * PAGE_SIZE % 65536);
/* select raid gen_syndrome function */
gen_best = raid6_choose_gen(&dptrs, disks);
/* select raid recover functions */
Reported by FlawFinder.
lib/string_helpers.c
3 issues
Line: 519
CWE codes:
682
unsigned int flags, const char *only)
{
char *p = dst;
char *end = p + osz;
bool is_dict = only && *only;
bool is_append = flags & ESCAPE_APPEND;
while (isz--) {
unsigned char c = *src++;
Reported by Cppcheck.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const unsigned int rounding[] = { 500, 50, 5 };
int i = 0, j;
u32 remainder = 0, sf_cap;
char tmp[8];
const char *unit;
tmp[0] = '\0';
if (blk_size == 0)
Reported by FlawFinder.
Line: 598
Column: 9
CWE codes:
126
if (!src)
return NULL;
slen = strlen(src);
dlen = string_escape_mem(src, slen, NULL, 0, flags, esc);
dst = kmalloc(dlen + 1, gfp);
if (!dst)
return NULL;
Reported by FlawFinder.
lib/test_bitmap.c
3 issues
Line: 21
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
KSTM_MODULE_GLOBALS();
static char pbl_buffer[PAGE_SIZE] __initdata;
static const unsigned long exp1[] __initconst = {
BITMAP_FROM_U64(1),
BITMAP_FROM_U64(2),
BITMAP_FROM_U64(0x0000ffff),
Reported by FlawFinder.
Line: 655
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ARRAY_SIZE(test_cut); i++) {
struct test_bitmap_cut *t = &test_cut[i];
memcpy(in, t->in, sizeof(t->in));
bitmap_cut(out, in, t->first, t->cut, t->nbits);
expect_eq_bitmap(t->expected, out, t->nbits);
}
Reported by FlawFinder.
Line: 482
Column: 49
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(parse_tests); i++) {
struct test_bitmap_parselist test = parse_tests[i];
size_t len = test.flags & NO_LEN ? UINT_MAX : strlen(test.in);
time = ktime_get();
err = bitmap_parse(test.in, len, bmap, test.nbits);
time = ktime_get() - time;
Reported by FlawFinder.
lib/test_bpf.c
3 issues
Line: 6507
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = kmap(page);
if (!ptr)
goto err_free_page;
memcpy(ptr, test->frag_data, MAX_DATA);
kunmap(page);
skb_add_rx_frag(skb, 0, page, 0, MAX_DATA, MAX_DATA);
}
return skb;
Reported by FlawFinder.
Line: 6600
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fp->len = flen;
/* Type doesn't really matter here as long as it's not unspec. */
fp->type = BPF_PROG_TYPE_SOCKET_FILTER;
memcpy(fp->insnsi, fptr, fp->len * sizeof(struct bpf_insn));
fp->aux->stack_depth = tests[which].stack_depth;
/* We cannot error here as we don't need type compatibility
* checks.
*/
Reported by FlawFinder.
Line: 6687
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return err_cnt;
}
static char test_name[64];
module_param_string(test_name, test_name, sizeof(test_name), 0);
static int test_id = -1;
module_param(test_id, int, 0);
Reported by FlawFinder.
lib/test_string.c
3 issues
Line: 122
Column: 18
CWE codes:
126
char *result;
int i;
for (i = 0; i < strlen(test_string) + 1; i++) {
result = strchr(test_string, test_string[i]);
if (result - test_string != i)
return i + 'a';
}
Reported by FlawFinder.
Line: 150
Column: 18
CWE codes:
126
char *result;
int i, j;
for (i = 0; i < strlen(test_string) + 1; i++) {
for (j = 0; j < strlen(test_string) + 2; j++) {
result = strnchr(test_string, j, test_string[i]);
if (j <= i) {
if (!result)
continue;
Reported by FlawFinder.
Line: 151
Column: 19
CWE codes:
126
int i, j;
for (i = 0; i < strlen(test_string) + 1; i++) {
for (j = 0; j < strlen(test_string) + 2; j++) {
result = strnchr(test_string, j, test_string[i]);
if (j <= i) {
if (!result)
continue;
return ((i + 'a') << 8) | j;
Reported by FlawFinder.
lib/test_user_copy.c
3 issues
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ksize = size;
usize = size;
memcpy(expected, umem_src, ksize);
memset(kmem, 0x0, size);
ret |= test(copy_struct_from_user(kmem, ksize, umem, usize),
"copy_struct_from_user(usize == ksize) failed");
ret |= test(memcmp(kmem, expected, ksize),
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ksize = size;
usize = size / 2;
memcpy(expected, umem_src, usize);
memset(expected + usize, 0x0, ksize - usize);
memset(kmem, 0x0, size);
ret |= test(copy_struct_from_user(kmem, ksize, umem, usize),
"copy_struct_from_user(usize < ksize) failed");
Reported by FlawFinder.
Line: 164
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ksize = size / 2;
usize = size;
memcpy(expected, umem_src, ksize);
ret |= test(clear_user(umem + ksize, usize - ksize),
"legitimate clear_user failed");
memset(kmem, 0x0, size);
ret |= test(copy_struct_from_user(kmem, ksize, umem, usize),
Reported by FlawFinder.
lib/test_uuid.c
3 issues
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
guid_t le;
uuid_t be;
char buf[48];
/* LE */
total_tests++;
if (guid_parse(data->uuid, &le))
test_uuid_failed("conversion", false, false, data->uuid, NULL);
Reported by FlawFinder.
Line: 75
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
total_tests++;
if (!guid_equal(&data->le, &le)) {
sprintf(buf, "%pUl", &le);
test_uuid_failed("cmp", false, false, data->uuid, buf);
}
/* BE */
total_tests++;
Reported by FlawFinder.
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
total_tests++;
if (!uuid_equal(&data->be, &be)) {
sprintf(buf, "%pUb", &be);
test_uuid_failed("cmp", false, true, data->uuid, buf);
}
}
static void __init test_uuid_wrong(const char *data)
Reported by FlawFinder.
lib/uuid.c
3 issues
Line: 33
Column: 36
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Used to create a Boot ID or a filesystem UUID/GUID, but can be
* useful for other kernel drivers.
*/
void generate_random_uuid(unsigned char uuid[16])
{
get_random_bytes(uuid, 16);
/* Set UUID version to 4 --- truly random generation */
uuid[6] = (uuid[6] & 0x0F) | 0x40;
/* Set the UUID variant to DCE */
Reported by FlawFinder.
Line: 43
Column: 36
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
EXPORT_SYMBOL(generate_random_uuid);
void generate_random_guid(unsigned char guid[16])
{
get_random_bytes(guid, 16);
/* Set GUID version to 4 --- truly random generation */
guid[7] = (guid[7] & 0x0F) | 0x40;
/* Set the GUID variant to DCE */
Reported by FlawFinder.
Line: 105
Column: 31
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
EXPORT_SYMBOL(uuid_is_valid);
static int __uuid_parse(const char *uuid, __u8 b[16], const u8 ei[16])
{
static const u8 si[16] = {0,2,4,6,9,11,14,16,19,21,24,26,28,30,32,34};
unsigned int i;
if (!uuid_is_valid(uuid))
Reported by FlawFinder.