The following issues were found
drivers/gpu/drm/nouveau/nvkm/engine/dma/user.c
3 issues
Line: 87
Column: 51
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (!(ret = nvif_unpack(ret, &data, &size, args->v0, 0, 0, true))) {
nvif_ioctl(parent, "create dma vers %d target %d access %d "
"start %016llx limit %016llx\n",
args->v0.version, args->v0.target, args->v0.access,
args->v0.start, args->v0.limit);
dmaobj->target = args->v0.target;
dmaobj->access = args->v0.access;
dmaobj->start = args->v0.start;
dmaobj->limit = args->v0.limit;
Reported by FlawFinder.
Line: 90
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
args->v0.version, args->v0.target, args->v0.access,
args->v0.start, args->v0.limit);
dmaobj->target = args->v0.target;
dmaobj->access = args->v0.access;
dmaobj->start = args->v0.start;
dmaobj->limit = args->v0.limit;
} else
return ret;
Reported by FlawFinder.
Line: 120
Column: 18
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -EINVAL;
}
switch (dmaobj->access) {
case NV_DMA_V0_ACCESS_VM:
dmaobj->access = NV_MEM_ACCESS_VM;
break;
case NV_DMA_V0_ACCESS_RD:
dmaobj->access = NV_MEM_ACCESS_RO;
Reported by FlawFinder.
drivers/gpu/drm/i915/i915_gpu_error.h
3 issues
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i915_vma_coredump {
struct i915_vma_coredump *next;
char name[20];
u64 gtt_offset;
u64 gtt_size;
u32 gtt_page_sizes;
Reported by FlawFinder.
Line: 90
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_instdone instdone;
struct i915_gem_context_coredump {
char comm[TASK_COMM_LEN];
u64 total_runtime;
u32 avg_runtime;
pid_t pid;
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_gt_coredump *gt;
char error_msg[128];
bool simulated;
bool wakelock;
bool suspended;
int iommu;
u32 reset_count;
Reported by FlawFinder.
drivers/infiniband/hw/mlx5/ah.c
3 issues
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rdma_ah_get_ah_flags(ah_attr) & IB_AH_GRH) {
const struct ib_global_route *grh = rdma_ah_read_grh(ah_attr);
memcpy(ah->av.rgid, &grh->dgid, 16);
ah->av.grh_gid_fl = cpu_to_be32(grh->flow_label |
(1 << 30) |
grh->sgid_index << 20);
ah->av.hop_limit = grh->hop_limit;
ah->av.tclass = grh->traffic_class;
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
init_attr->xmit_slave);
gid_type = ah_attr->grh.sgid_attr->gid_type;
memcpy(ah->av.rmac, ah_attr->roce.dmac,
sizeof(ah_attr->roce.dmac));
ah->av.udp_sport = mlx5_ah_get_udp_sport(dev, ah_attr);
ah->av.stat_rate_sl |= (rdma_ah_get_sl(ah_attr) & 0x7) << 1;
if (gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP)
#define MLX5_ECN_ENABLED BIT(1)
Reported by FlawFinder.
Line: 117
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp.response_length = min_resp_len;
memcpy(resp.dmac, ah_attr->roce.dmac, ETH_ALEN);
err = ib_copy_to_udata(udata, &resp, resp.response_length);
if (err)
return err;
}
Reported by FlawFinder.
drivers/input/input-poller.c
3 issues
Line: 143
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct input_dev *input = to_input_dev(dev);
return sprintf(buf, "%d\n", input->poller->poll_interval);
}
static ssize_t input_dev_set_poll_interval(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 188
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct input_dev *input = to_input_dev(dev);
return sprintf(buf, "%d\n", input->poller->poll_interval_max);
}
static DEVICE_ATTR(max, 0444, input_dev_get_poll_max, NULL);
static ssize_t input_dev_get_poll_min(struct device *dev,
Reported by FlawFinder.
Line: 198
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct input_dev *input = to_input_dev(dev);
return sprintf(buf, "%d\n", input->poller->poll_interval_min);
}
static DEVICE_ATTR(min, 0444, input_dev_get_poll_min, NULL);
static umode_t input_poller_attrs_visible(struct kobject *kobj,
Reported by FlawFinder.
drivers/input/joystick/a3d.c
3 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int length;
int reads;
int bads;
char phys[32];
};
/*
* a3d_read_packet() reads an Assassin 3D packet.
*/
Reported by FlawFinder.
Line: 165
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void a3d_poll(struct gameport *gameport)
{
struct a3d *a3d = gameport_get_drvdata(gameport);
unsigned char data[A3D_MAX_LENGTH];
a3d->reads++;
if (a3d_read_packet(a3d->gameport, a3d->length, data) != a3d->length ||
data[0] != a3d->mode || a3d_csum(data, a3d->length))
a3d->bads++;
Reported by FlawFinder.
Line: 251
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct a3d *a3d;
struct input_dev *input_dev;
struct gameport *adc;
unsigned char data[A3D_MAX_LENGTH];
int i;
int err;
a3d = kzalloc(sizeof(struct a3d), GFP_KERNEL);
input_dev = input_allocate_device();
Reported by FlawFinder.
drivers/iio/industrialio-sw-device.c
3 issues
Line: 49
Column: 44
CWE codes:
126
int ret = 0;
mutex_lock(&iio_device_types_lock);
iter = __iio_find_sw_device_type(d->name, strlen(d->name));
if (iter)
ret = -EBUSY;
else
list_add_tail(&d->list, &iio_device_types_list);
mutex_unlock(&iio_device_types_lock);
Reported by FlawFinder.
Line: 73
Column: 45
CWE codes:
126
struct iio_sw_device_type *iter;
mutex_lock(&iio_device_types_lock);
iter = __iio_find_sw_device_type(dt->name, strlen(dt->name));
if (iter)
list_del(&dt->list);
mutex_unlock(&iio_device_types_lock);
configfs_unregister_default_group(dt->group);
Reported by FlawFinder.
Line: 88
Column: 39
CWE codes:
126
struct iio_sw_device_type *dt;
mutex_lock(&iio_device_types_lock);
dt = __iio_find_sw_device_type(name, strlen(name));
if (dt && !try_module_get(dt->owner))
dt = NULL;
mutex_unlock(&iio_device_types_lock);
return dt;
Reported by FlawFinder.
drivers/gpu/drm/radeon/radeon_atombios.c
3 issues
Line: 173
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct _ATOM_GPIO_I2C_INFO *i2c_info;
uint16_t data_offset, size;
int i, num_indices;
char stmp[32];
if (atom_parse_data_header(ctx, index, &size, NULL, NULL, &data_offset)) {
i2c_info = (struct _ATOM_GPIO_I2C_INFO *)(ctx->bios + data_offset);
num_indices = (size - sizeof(ATOM_COMMON_TABLE_HEADER)) /
Reported by FlawFinder.
Line: 188
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
i2c = radeon_get_bus_rec_for_i2c_gpio(gpio);
if (i2c.valid) {
sprintf(stmp, "0x%x", i2c.i2c_id);
rdev->i2c_bus[i] = radeon_i2c_create(rdev->ddev, &i2c, stmp);
}
gpio = (ATOM_GPIO_I2C_ASSIGMENT *)
((u8 *)gpio + sizeof(ATOM_GPIO_I2C_ASSIGMENT));
}
Reported by FlawFinder.
Line: 1721
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
edid = kmalloc(edid_size, GFP_KERNEL);
if (edid) {
memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
fake_edid_record->ucFakeEDIDLength);
if (drm_edid_is_valid(edid)) {
rdev->mode_info.bios_hardcoded_edid = edid;
rdev->mode_info.bios_hardcoded_edid_size = edid_size;
Reported by FlawFinder.
drivers/gpu/drm/radeon/radeon_atpx_handler.c
3 issues
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(output), size);
memcpy(&output, info->buffer.pointer, size);
valid_bits = output.flags & output.valid_flags;
kfree(info);
}
Reported by FlawFinder.
Line: 248
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(output), size);
memcpy(&output, info->buffer.pointer, size);
/* TODO: check version? */
printk("ATPX version %u, functions 0x%08x\n",
output.version, output.function_bits);
Reported by FlawFinder.
Line: 550
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static bool radeon_atpx_detect(void)
{
char acpi_method_name[255] = { 0 };
struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
struct pci_dev *pdev = NULL;
bool has_atpx = false;
int vga_count = 0;
bool d3_supported = false;
Reported by FlawFinder.
drivers/gpu/drm/radeon/radeon_combios.c
3 issues
Line: 384
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (edid == NULL)
return false;
memcpy((unsigned char *)edid, raw, size);
if (!drm_edid_is_valid(edid)) {
kfree(edid);
return false;
}
Reported by FlawFinder.
Line: 405
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rdev->mode_info.bios_hardcoded_edid) {
edid = kmalloc(rdev->mode_info.bios_hardcoded_edid_size, GFP_KERNEL);
if (edid) {
memcpy((unsigned char *)edid,
(unsigned char *)rdev->mode_info.bios_hardcoded_edid,
rdev->mode_info.bios_hardcoded_edid_size);
return edid;
}
}
Reported by FlawFinder.
Line: 1176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct radeon_device *rdev = dev->dev_private;
uint16_t lcd_info;
uint32_t panel_setup;
char stmp[30];
int tmp, i;
struct radeon_encoder_lvds *lvds = NULL;
lcd_info = combios_get_table_offset(dev, COMBIOS_LCD_INFO_TABLE);
Reported by FlawFinder.
drivers/input/joystick/gf2k.c
3 issues
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bads;
unsigned char id;
unsigned char length;
char phys[32];
};
/*
* gf2k_read_packet() reads a Genius Flight2000 packet.
*/
Reported by FlawFinder.
Line: 192
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gf2k_poll(struct gameport *gameport)
{
struct gf2k *gf2k = gameport_get_drvdata(gameport);
unsigned char data[GF2K_LENGTH];
gf2k->reads++;
if (gf2k_read_packet(gf2k->gameport, gf2k_length[gf2k->id], data) < gf2k_length[gf2k->id])
gf2k->bads++;
Reported by FlawFinder.
Line: 225
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct gf2k *gf2k;
struct input_dev *input_dev;
unsigned char data[GF2K_LENGTH];
int i, err;
gf2k = kzalloc(sizeof(struct gf2k), GFP_KERNEL);
input_dev = input_allocate_device();
if (!gf2k || !input_dev) {
Reported by FlawFinder.