The following issues were found
drivers/gpu/drm/lima/lima_drv.c
3 issues
Line: 302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t size = min_t(size_t, max_off - reader->off,
reader->count);
memcpy(reader->dst, src + (reader->off - reader->base), size);
reader->dst += size;
reader->off += size;
reader->read += size;
reader->count -= size;
Reported by FlawFinder.
Line: 338
Column: 16
CWE codes:
120
20
}
mutex_unlock(&ldev->error_task_list_lock);
return reader.read;
}
static ssize_t lima_error_state_write(struct file *file, struct kobject *kobj,
struct bin_attribute *attr, char *buf,
loff_t off, size_t count)
Reported by FlawFinder.
drivers/hid/hid-steam.c
3 issues
Line: 122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long quirks;
struct work_struct work_connect;
bool connected;
char serial_no[STEAM_SERIAL_LEN + 1];
struct power_supply_desc battery_desc;
struct power_supply __rcu *battery;
u8 battery_charge;
u16 voltage;
};
Reported by FlawFinder.
Line: 154
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf, hid_report_len(r) + 1,
HID_FEATURE_REPORT, HID_REQ_GET_REPORT);
if (ret > 0)
memcpy(data, buf + 1, min(size, ret - 1));
kfree(buf);
return ret;
}
static int steam_send_report(struct steam_device *steam,
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
/* The report ID is always 0 */
memcpy(buf + 1, cmd, size);
/*
* Sometimes the wireless controller fails with EPIPE
* when sending a feature report.
* Doing a HID_REQ_GET_REPORT and waiting for a while
Reported by FlawFinder.
drivers/infiniband/core/mad_rmpp.c
3 issues
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ib_rmpp_mad *ack = msg->mad;
unsigned long flags;
memcpy(ack, &data->mad_hdr, msg->hdr_len);
ack->mad_hdr.method ^= IB_MGMT_METHOD_RESP;
ack->rmpp_hdr.rmpp_type = IB_MGMT_RMPP_TYPE_ACK;
ib_set_rmpp_flags(&ack->rmpp_hdr, IB_MGMT_RMPP_FLAG_ACTIVE);
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
rmpp_mad = msg->mad;
memcpy(rmpp_mad, recv_wc->recv_buf.mad, msg->hdr_len);
rmpp_mad->mad_hdr.method ^= IB_MGMT_METHOD_RESP;
ib_set_rmpp_flags(&rmpp_mad->rmpp_hdr, IB_MGMT_RMPP_FLAG_ACTIVE);
rmpp_mad->rmpp_hdr.seg_num = 0;
rmpp_mad->rmpp_hdr.paylen_newwin = cpu_to_be32(1);
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
rmpp_mad = msg->mad;
memcpy(rmpp_mad, recv_wc->recv_buf.mad, msg->hdr_len);
rmpp_mad->mad_hdr.method ^= IB_MGMT_METHOD_RESP;
rmpp_mad->rmpp_hdr.rmpp_version = IB_MGMT_RMPP_VERSION;
rmpp_mad->rmpp_hdr.rmpp_type = IB_MGMT_RMPP_TYPE_ABORT;
ib_set_rmpp_flags(&rmpp_mad->rmpp_hdr, IB_MGMT_RMPP_FLAG_ACTIVE);
Reported by FlawFinder.
drivers/input/touchscreen/rohm_bu21023.c
3 issues
Line: 736
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct rohm_ts_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%d\n", !!(ts->setup2 & SWAP_XY));
}
static ssize_t swap_xy_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 775
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct rohm_ts_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%d\n", !!(ts->setup2 & INV_X));
}
static ssize_t inv_x_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 814
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct rohm_ts_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%d\n", !!(ts->setup2 & INV_Y));
}
static ssize_t inv_y_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/gpu/drm/i915/selftests/scatterlist.c
3 issues
Line: 228
CWE codes:
908
return alloc_error;
/* count should be less than 20 to prevent overflowing sg->length */
GEM_BUG_ON(overflows_type(count * PAGE_SIZE, sg->length));
/* Construct a table where each scatterlist contains different number
* of entries. The idea is to check that we can iterate the individual
* pages from inside the coalesced lists.
*/
Reported by Cppcheck.
Line: 186
Column: 21
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
return count - n;
}
static unsigned int random(unsigned long n,
unsigned long count,
struct rnd_state *rnd)
{
return 1 + (prandom_u32_state(rnd) % 1024);
}
Reported by FlawFinder.
Line: 269
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
one,
grow,
shrink,
random,
random_page_size_pages,
NULL,
};
static int igt_sg_alloc(void *ignored)
Reported by FlawFinder.
drivers/hwmon/max6642.c
3 issues
Line: 202
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(dev_attr);
struct max6642_data *data = max6642_update_device(dev);
return sprintf(buf, "%d\n",
temp_from_reg10(data->temp_input[attr->index]));
}
static ssize_t temp_max_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 212
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute_2 *attr2 = to_sensor_dev_attr_2(attr);
struct max6642_data *data = max6642_update_device(dev);
return sprintf(buf, "%d\n", temp_from_reg(data->temp_high[attr2->nr]));
}
static ssize_t temp_max_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 241
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int bitnr = to_sensor_dev_attr(attr)->index;
struct max6642_data *data = max6642_update_device(dev);
return sprintf(buf, "%d\n", (data->alarms >> bitnr) & 1);
}
static SENSOR_DEVICE_ATTR_RO(temp1_input, temp_max10, 0);
static SENSOR_DEVICE_ATTR_RO(temp2_input, temp_max10, 1);
static SENSOR_DEVICE_ATTR_2_RW(temp1_max, temp_max, 0,
Reported by FlawFinder.
drivers/gpu/drm/i915/selftests/i915_request.c
3 issues
Line: 1456
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return -ENOMEM;
for (fn = func; !err && *fn; fn++) {
char name[KSYM_NAME_LEN];
struct igt_live_test t;
unsigned int idx;
snprintf(name, sizeof(name), "%ps", *fn);
err = igt_live_test_begin(&t, i915, __func__, name);
Reported by FlawFinder.
Line: 2686
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
GEM_BUG_ON(idx != ps->nengines);
for (fn = func; *fn && !err; fn++) {
char name[KSYM_NAME_LEN];
struct igt_live_test t;
snprintf(name, sizeof(name), "%ps", *fn);
err = igt_live_test_begin(&t, i915, __func__, name);
if (err)
Reported by FlawFinder.
Line: 2996
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
cpu_latency_qos_add_request(&qos, 0);
for (fn = func; *fn; fn++) {
char name[KSYM_NAME_LEN];
struct igt_live_test t;
unsigned int idx;
snprintf(name, sizeof(name), "%ps", *fn);
err = igt_live_test_begin(&t, i915, __func__, name);
Reported by FlawFinder.
drivers/isdn/hardware/mISDN/avmfritz.c
3 issues
Line: 121
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fritzcard {
struct list_head list;
struct pci_dev *pdev;
char name[MISDN_MAX_IDLEN];
u8 type;
u8 ctrlreg;
u16 irq;
u32 irqcnt;
u32 addr;
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct isac_hw isac;
struct hdlc_hw hdlc[2];
struct bchannel bch[2];
char log[LOG_SIZE + 1];
};
static LIST_HEAD(Cards);
static DEFINE_RWLOCK(card_lock); /* protect Cards */
Reported by FlawFinder.
Line: 928
Column: 19
CWE codes:
362
case OPEN_CHANNEL:
rq = arg;
if (rq->protocol == ISDN_P_TE_S0)
err = fc->isac.open(&fc->isac, rq);
else
err = open_bchannel(fc, rq);
if (err)
break;
if (!try_module_get(THIS_MODULE))
Reported by FlawFinder.
drivers/md/bcache/bcache.h
3 issues
Line: 257
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cache_set *c;
unsigned int id;
#define BCACHEDEVNAME_SIZE 12
char name[BCACHEDEVNAME_SIZE];
struct gendisk *disk;
unsigned long flags;
#define BCACHE_DEV_CLOSING 0
Reported by FlawFinder.
Line: 399
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int error_limit;
unsigned int offline_seconds;
char backing_dev_name[BDEVNAME_SIZE];
};
enum alloc_reserve {
RESERVE_BTREE,
RESERVE_PRIO,
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
atomic_long_t btree_sectors_written;
atomic_long_t sectors_written;
char cache_dev_name[BDEVNAME_SIZE];
};
struct gc_stat {
size_t nodes;
size_t nodes_pre;
Reported by FlawFinder.
drivers/hid/intel-ish-hid/ishtp-fw-loader.c
3 issues
Line: 422
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Copy the buffer received in firmware response for the
* calling thread.
*/
memcpy(client_data->response.data,
rb_in_proc->buffer.data, data_len);
/* Set flag before waking up the caller */
client_data->response.received = true;
Reported by FlawFinder.
Line: 583
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ldr_xfer_ipc_frag->fragment.offset = fragment_offset;
ldr_xfer_ipc_frag->fragment.size = fragment_size;
memcpy(ldr_xfer_ipc_frag->data,
&fw->data[fragment_offset],
fragment_size);
dev_dbg(cl_data_to_dev(client_data),
"xfer_mode=ipc offset=0x%08x size=0x%08x is_last=%d\n",
Reported by FlawFinder.
Line: 692
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ldr_xfer_dma_frag.fragment.offset = fragment_offset;
ldr_xfer_dma_frag.fragment.size = fragment_size;
memcpy(dma_buf, &fw->data[fragment_offset], fragment_size);
dma_sync_single_for_device(devc, dma_buf_phy,
payload_max_size,
DMA_TO_DEVICE);
Reported by FlawFinder.