The following issues were found
arch/alpha/kernel/sys_cabriolet.c
3 issues
Line: 180
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int
eb66p_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[5][5] = {
/*INT INTA INTB INTC INTD */
{16+0, 16+0, 16+5, 16+9, 16+13}, /* IdSel 6, slot 0, J25 */
{16+1, 16+1, 16+6, 16+10, 16+14}, /* IdSel 7, slot 1, J26 */
{ -1, -1, -1, -1, -1}, /* IdSel 8, SIO */
{16+2, 16+2, 16+7, 16+11, 16+15}, /* IdSel 9, slot 2, J27 */
Reported by FlawFinder.
Line: 210
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int
cabriolet_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[5][5] = {
/*INT INTA INTB INTC INTD */
{ 16+2, 16+2, 16+7, 16+11, 16+15}, /* IdSel 5, slot 2, J21 */
{ 16+0, 16+0, 16+5, 16+9, 16+13}, /* IdSel 6, slot 0, J19 */
{ 16+1, 16+1, 16+6, 16+10, 16+14}, /* IdSel 7, slot 1, J20 */
{ -1, -1, -1, -1, -1}, /* IdSel 8, SIO */
Reported by FlawFinder.
Line: 294
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline int
alphapc164_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[7][5] = {
/*INT INTA INTB INTC INTD */
{ 16+2, 16+2, 16+9, 16+13, 16+17}, /* IdSel 5, slot 2, J20 */
{ 16+0, 16+0, 16+7, 16+11, 16+15}, /* IdSel 6, slot 0, J29 */
{ 16+1, 16+1, 16+8, 16+12, 16+16}, /* IdSel 7, slot 1, J26 */
{ -1, -1, -1, -1, -1}, /* IdSel 8, SIO */
Reported by FlawFinder.
arch/mips/kernel/proc.c
3 issues
Line: 61
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
seq_printf(m, "processor\t\t: %ld\n", n);
sprintf(fmt, "cpu model\t\t: %%s V%%d.%%d%s\n",
cpu_data[n].options & MIPS_CPU_FPU ? " FPU V%d.%d" : "");
seq_printf(m, fmt, __cpu_name[n],
(version >> 4) & 0x0f, version & 0x0f,
(fp_vers >> 4) & 0x0f, fp_vers & 0x0f);
seq_printf(m, "BogoMIPS\t\t: %u.%02u\n",
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
seq_printf(m, "VP\t\t\t: %d\n", cpu_vpe_id(&cpu_data[n]));
#endif
sprintf(fmt, "VCE%%c exceptions\t\t: %s\n",
cpu_has_vce ? "%u" : "not available");
seq_printf(m, fmt, 'D', vced_count);
seq_printf(m, fmt, 'I', vcei_count);
proc_cpuinfo_notifier_args.m = m;
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long n = (unsigned long) v - 1;
unsigned int version = cpu_data[n].processor_id;
unsigned int fp_vers = cpu_data[n].fpu_id;
char fmt [64];
int i;
#ifdef CONFIG_SMP
if (!cpu_online(n))
return 0;
Reported by FlawFinder.
arch/x86/kernel/traps.c
3 issues
Line: 587
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
goto exit;
if (error_code)
snprintf(desc, sizeof(desc), "segment-related " GPFSTR);
else
hint = get_kernel_gp_address(regs, &gp_addr);
if (hint != GP_NO_HINT)
snprintf(desc, sizeof(desc), GPFSTR ", %s 0x%lx",
Reported by FlawFinder.
Line: 592
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
hint = get_kernel_gp_address(regs, &gp_addr);
if (hint != GP_NO_HINT)
snprintf(desc, sizeof(desc), GPFSTR ", %s 0x%lx",
(hint == GP_NON_CANONICAL) ? "probably for non-canonical address"
: "maybe for address",
gp_addr);
/*
Reported by FlawFinder.
Line: 533
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DEFINE_IDTENTRY_ERRORCODE(exc_general_protection)
{
char desc[sizeof(GPFSTR) + 50 + 2*sizeof(unsigned long) + 1] = GPFSTR;
enum kernel_gp_hint hint = GP_NO_HINT;
struct task_struct *tsk;
unsigned long gp_addr;
int ret;
Reported by FlawFinder.
block/blk-iolatency.c
3 issues
Line: 810
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ret = -EINVAL;
while ((tok = strsep(&p, " "))) {
char key[16];
char val[21]; /* 18446744073709551616 */
if (sscanf(tok, "%15[^=]=%20s", key, val) != 2)
goto out;
Reported by FlawFinder.
Line: 811
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ret = -EINVAL;
while ((tok = strsep(&p, " "))) {
char key[16];
char val[21]; /* 18446744073709551616 */
if (sscanf(tok, "%15[^=]=%20s", key, val) != 2)
goto out;
if (!strcmp(key, "target")) {
Reported by FlawFinder.
Line: 813
Column: 7
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
char key[16];
char val[21]; /* 18446744073709551616 */
if (sscanf(tok, "%15[^=]=%20s", key, val) != 2)
goto out;
if (!strcmp(key, "target")) {
u64 v;
Reported by FlawFinder.
arch/s390/kvm/vsie.c
3 issues
Line: 403
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb_o->gpsw = scb_s->gpsw;
scb_o->gg14 = scb_s->gg14;
scb_o->gg15 = scb_s->gg15;
memcpy(scb_o->gcr, scb_s->gcr, 128);
scb_o->pp = scb_s->pp;
/* branch prediction */
if (test_kvm_facility(vcpu->kvm, 82)) {
scb_o->fpf &= ~FPF_BPBC;
Reported by FlawFinder.
Line: 417
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case ICPT_PROGI:
case ICPT_INSTPROGI:
case ICPT_EXTINT:
memcpy((void *)((u64)scb_o + 0xc0),
(void *)((u64)scb_s + 0xc0), 0xf0 - 0xc0);
break;
}
if (scb_s->ihcpu != 0xffffU)
Reported by FlawFinder.
Line: 469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
scb_s->gpsw = scb_o->gpsw;
scb_s->gg14 = scb_o->gg14;
scb_s->gg15 = scb_o->gg15;
memcpy(scb_s->gcr, scb_o->gcr, 128);
scb_s->pp = scb_o->pp;
/* interception / execution handling */
scb_s->gbea = scb_o->gbea;
scb_s->lctl = scb_o->lctl;
Reported by FlawFinder.
arch/riscv/kernel/image-vars.h
3 issues
Line: 28
Column: 21
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
__efistub_memcmp = memcmp;
__efistub_memchr = memchr;
__efistub_memcpy = memcpy;
__efistub_memmove = memmove;
__efistub_memset = memset;
__efistub_strlen = strlen;
__efistub_strnlen = strnlen;
__efistub_strcmp = strcmp;
Reported by FlawFinder.
Line: 38
Column: 23
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__efistub_strrchr = strrchr;
#ifdef CONFIG_KASAN
__efistub___memcpy = memcpy;
__efistub___memmove = memmove;
__efistub___memset = memset;
#endif
__efistub__start = _start;
Reported by FlawFinder.
Line: 31
Column: 21
CWE codes:
126
__efistub_memcpy = memcpy;
__efistub_memmove = memmove;
__efistub_memset = memset;
__efistub_strlen = strlen;
__efistub_strnlen = strnlen;
__efistub_strcmp = strcmp;
__efistub_strncmp = strncmp;
__efistub_strrchr = strrchr;
Reported by FlawFinder.
block/blk-map.c
3 issues
Line: 32
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bmd = kmalloc(struct_size(bmd, iov, data->nr_segs), gfp_mask);
if (!bmd)
return NULL;
memcpy(bmd->iov, data->iov, sizeof(struct iovec) * data->nr_segs);
bmd->iter = *data;
bmd->iter.iov = bmd->iov;
return bmd;
}
Reported by FlawFinder.
Line: 403
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct bvec_iter_all iter_all;
bio_for_each_segment_all(bvec, bio, iter_all) {
memcpy(p, page_address(bvec->bv_page), bvec->bv_len);
p += bvec->bv_len;
}
bio_copy_kern_endio(bio);
}
Reported by FlawFinder.
Line: 454
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto cleanup;
if (!reading)
memcpy(page_address(page), p, bytes);
if (bio_add_pc_page(q, bio, page, bytes, 0) < bytes)
break;
len -= bytes;
Reported by FlawFinder.
arch/x86/crypto/aegis128-aesni-glue.c
3 issues
Line: 87
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos + size >= AEGIS128_BLOCK_SIZE) {
if (pos > 0) {
unsigned int fill = AEGIS128_BLOCK_SIZE - pos;
memcpy(buf.bytes + pos, src, fill);
crypto_aegis128_aesni_ad(state,
AEGIS128_BLOCK_SIZE,
buf.bytes);
pos = 0;
left -= fill;
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
left &= AEGIS128_BLOCK_SIZE - 1;
}
memcpy(buf.bytes + pos, src, left);
pos += left;
assoclen -= size;
scatterwalk_unmap(mapped);
scatterwalk_advance(&walk, size);
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen != AEGIS128_KEY_SIZE)
return -EINVAL;
memcpy(ctx->key.bytes, key, AEGIS128_KEY_SIZE);
return 0;
}
static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm,
Reported by FlawFinder.
arch/x86/kvm/kvm_emulate.h
3 issues
Line: 116
Column: 38
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
int (*read_std)(struct x86_emulate_ctxt *ctxt,
unsigned long addr, void *val,
unsigned int bytes,
struct x86_exception *fault, bool system);
/*
* read_phys: Read bytes of standard (non-emulated/special) memory.
* Used for descriptor reading.
* @addr: [IN ] Physical address from which to read.
Reported by FlawFinder.
Line: 138
Column: 39
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
*/
int (*write_std)(struct x86_emulate_ctxt *ctxt,
unsigned long addr, void *val, unsigned int bytes,
struct x86_exception *fault, bool system);
/*
* fetch: Read bytes of standard (non-emulated/special) memory.
* Used for instruction fetch.
* @addr: [IN ] Linear address from which to read.
* @val: [OUT] Value read from memory, zero-extended to 'u_long'.
Reported by FlawFinder.
Line: 260
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
unsigned long val;
u64 val64;
char valptr[sizeof(sse128_t)];
sse128_t vec_val;
u64 mm_val;
void *data;
};
};
Reported by FlawFinder.
arch/x86/crypto/ecb_cbc_helpers.h
3 issues
Line: 52
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__iv = dst; \
ECB_WALK_ADVANCE(1); \
} \
memcpy(walk.iv, __iv, __bsize); \
} while (0)
#define CBC_DEC_BLOCK(blocks, func) do { \
while (nbytes >= (blocks) * __bsize) { \
const u8 *__iv = src + ((blocks) - 1) * __bsize; \
Reported by FlawFinder.
Line: 59
Column: 11
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (nbytes >= (blocks) * __bsize) { \
const u8 *__iv = src + ((blocks) - 1) * __bsize; \
if (dst == src) \
__iv = memcpy(buf, __iv, __bsize); \
(func)(ctx, dst, src); \
crypto_xor(dst, walk.iv, __bsize); \
memcpy(walk.iv, __iv, __bsize); \
ECB_WALK_ADVANCE(blocks); \
} \
Reported by FlawFinder.
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__iv = memcpy(buf, __iv, __bsize); \
(func)(ctx, dst, src); \
crypto_xor(dst, walk.iv, __bsize); \
memcpy(walk.iv, __iv, __bsize); \
ECB_WALK_ADVANCE(blocks); \
} \
} while (0)
#define ECB_WALK_END() \
Reported by FlawFinder.