The following issues were found
drivers/gpu/vga/vgaarb.c
3 issues
Line: 1027
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pdev = priv->target;
if (pdev == NULL || pdev == PCI_INVALID_CARD) {
spin_unlock_irqrestore(&vga_lock, flags);
len = sprintf(lbuf, "invalid");
goto done;
}
/* Find card vgadev structure */
vgadev = vgadev_find(pdev);
Reported by FlawFinder.
Line: 1040
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (pdev == priv->target)
vga_arb_device_card_gone(pdev);
spin_unlock_irqrestore(&vga_lock, flags);
len = sprintf(lbuf, "invalid");
goto done;
}
/* Fill the buffer with infos */
len = snprintf(lbuf, 1024,
Reported by FlawFinder.
Line: 1079
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int io_state;
char kbuf[64], *curr_pos;
size_t remaining = count;
int ret_val;
int i;
Reported by FlawFinder.
drivers/iio/light/isl29018.c
3 issues
Line: 275
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&chip->lock);
for (i = 0; i < ARRAY_SIZE(isl29018_scales[chip->int_time]); ++i)
len += sprintf(buf + len, "%d.%06d ",
isl29018_scales[chip->int_time][i].scale,
isl29018_scales[chip->int_time][i].uscale);
mutex_unlock(&chip->lock);
buf[len - 1] = '\n';
Reported by FlawFinder.
Line: 295
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len = 0;
for (i = 0; i < ARRAY_SIZE(isl29018_int_utimes[chip->type]); ++i)
len += sprintf(buf + len, "0.%06d ",
isl29018_int_utimes[chip->type][i]);
buf[len - 1] = '\n';
return len;
Reported by FlawFinder.
Line: 332
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* Return the "proximity scheme" i.e. if the chip does on chip
* infrared suppression (1 means perform on chip suppression)
*/
return sprintf(buf, "%d\n", chip->prox_scheme);
}
static ssize_t proximity_on_chip_ambient_infrared_suppression_store
(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/input/rmi4/rmi_f34.c
3 issues
Line: 463
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t count)
{
struct rmi_driver_data *data = dev_get_drvdata(dev);
char fw_name[NAME_MAX];
const struct firmware *fw;
size_t copy_count = count;
int ret;
if (count == 0 || count >= NAME_MAX)
Reported by FlawFinder.
Line: 523
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rmi_f34_probe(struct rmi_function *fn)
{
struct f34_data *f34;
unsigned char f34_queries[9];
bool has_config_id;
u8 version = fn->fd.function_version;
int ret;
f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
if (buf[count - 1] == '\0' || buf[count - 1] == '\n')
copy_count -= 1;
strncpy(fw_name, buf, copy_count);
fw_name[copy_count] = '\0';
ret = request_firmware(&fw, fw_name, dev);
if (ret)
return ret;
Reported by FlawFinder.
drivers/gpu/drm/gma500/cdv_intel_dp.c
3 issues
Line: 686
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg[1] = address >> 8;
msg[2] = address & 0xff;
msg[3] = send_bytes - 1;
memcpy(&msg[4], send, send_bytes);
msg_bytes = send_bytes + 4;
for (;;) {
ret = cdv_intel_dp_aux_ch(encoder, msg, msg_bytes, &ack, 1);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 740
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
ack = reply[0] >> 4;
if ((ack & DP_AUX_NATIVE_REPLY_MASK) == DP_AUX_NATIVE_REPLY_ACK) {
memcpy(recv, reply + 1, ret - 1);
return ret - 1;
}
else if ((ack & DP_AUX_NATIVE_REPLY_MASK) == DP_AUX_NATIVE_REPLY_DEFER)
udelay(100);
else
Reported by FlawFinder.
Line: 863
Column: 2
CWE codes:
120
memset(&intel_dp->adapter, '\0', sizeof (intel_dp->adapter));
intel_dp->adapter.owner = THIS_MODULE;
intel_dp->adapter.class = I2C_CLASS_DDC;
strncpy (intel_dp->adapter.name, name, sizeof(intel_dp->adapter.name) - 1);
intel_dp->adapter.name[sizeof(intel_dp->adapter.name) - 1] = '\0';
intel_dp->adapter.algo_data = &intel_dp->algo;
intel_dp->adapter.dev.parent = connector->base.kdev;
if (is_edp(encoder))
Reported by FlawFinder.
drivers/hwmon/nsa320-hwmon.c
3 issues
Line: 114
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int channel = to_sensor_dev_attr(attr)->index;
return sprintf(buf, "%s\n", nsa320_input_names[channel]);
}
static ssize_t temp1_input_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 125
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mcu_data < 0)
return mcu_data;
return sprintf(buf, "%d\n", (mcu_data & 0xffff) * 100);
}
static ssize_t fan1_input_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 136
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mcu_data < 0)
return mcu_data;
return sprintf(buf, "%d\n", ((mcu_data & 0xff0000) >> 16) * 100);
}
static SENSOR_DEVICE_ATTR_RO(temp1_label, label, NSA320_TEMP);
static DEVICE_ATTR_RO(temp1_input);
static SENSOR_DEVICE_ATTR_RO(fan1_label, label, NSA320_FAN);
Reported by FlawFinder.
drivers/input/serio/userio.c
3 issues
Line: 45
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 tail;
spinlock_t buf_lock;
unsigned char buf[USERIO_BUFSIZE];
wait_queue_head_t waitq;
};
/**
Reported by FlawFinder.
Line: 127
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct userio_device *userio = file->private_data;
int error;
size_t nonwrap_len, copylen;
unsigned char buf[USERIO_BUFSIZE];
unsigned long flags;
/*
* By the time we get here, the data that was waiting might have
* been taken by another thread. Grab the buffer lock and check if
Reported by FlawFinder.
Line: 145
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
USERIO_BUFSIZE);
copylen = min(nonwrap_len, count);
if (copylen) {
memcpy(buf, &userio->buf[userio->tail], copylen);
userio->tail = (userio->tail + copylen) %
USERIO_BUFSIZE;
}
spin_unlock_irqrestore(&userio->buf_lock, flags);
Reported by FlawFinder.
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
3 issues
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&dither_cfg.matrix, dither_matrix,
sizeof(u32) * DITHER_MATRIX_SZ);
hw_pp->ops.setup_dither(hw_pp, &dither_cfg);
}
Reported by FlawFinder.
Line: 1915
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dpu_encoder_virt *dpu_enc = to_dpu_encoder_virt(drm_enc);
int i;
char name[DPU_NAME_SIZE];
if (!drm_enc->dev) {
DPU_ERROR("invalid encoder or kms\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 2184
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kthread_init_work(&dpu_enc->vsync_event_work,
dpu_encoder_vsync_event_work_handler);
memcpy(&dpu_enc->disp_info, disp_info, sizeof(*disp_info));
DPU_DEBUG_ENC(dpu_enc, "created\n");
return ret;
Reported by FlawFinder.
drivers/input/touchscreen/cyttsp4_core.h
3 issues
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *input;
struct mutex report_lock;
bool is_suspended;
char phys[NAME_MAX];
int num_prv_tch;
};
struct cyttsp4 {
struct device *dev;
Reported by FlawFinder.
Line: 350
Column: 8
CWE codes:
120
20
u16 bustype;
int (*write)(struct device *dev, u8 *xfer_buf, u16 addr, u8 length,
const void *values);
int (*read)(struct device *dev, u8 *xfer_buf, u16 addr, u8 length,
void *values);
};
enum cyttsp4_hst_mode_bits {
CY_HST_TOGGLE = (1 << 7),
Reported by FlawFinder.
Line: 430
Column: 22
CWE codes:
120
20
static inline int cyttsp4_adap_read(struct cyttsp4 *ts, u16 addr, int size,
void *buf)
{
return ts->bus_ops->read(ts->dev, ts->xfer_buf, addr, size, buf);
}
static inline int cyttsp4_adap_write(struct cyttsp4 *ts, u16 addr, int size,
const void *buf)
{
Reported by FlawFinder.
drivers/hid/hid-gembird.c
3 issues
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"fixing Gembird JPD-DualForce 2 report descriptor.\n");
/* start by copying the end of the rdesc */
memcpy(new_rdesc + delta_size, rdesc, *rsize);
/* add the correct beginning */
memcpy(new_rdesc, rdesc, GEMBIRD_START_FAULTY_RDESC);
/* replace the faulty part with the fixed one */
Reported by FlawFinder.
Line: 83
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(new_rdesc + delta_size, rdesc, *rsize);
/* add the correct beginning */
memcpy(new_rdesc, rdesc, GEMBIRD_START_FAULTY_RDESC);
/* replace the faulty part with the fixed one */
memcpy(new_rdesc + GEMBIRD_START_FAULTY_RDESC,
gembird_jpd_fixed_rdesc,
sizeof(gembird_jpd_fixed_rdesc));
Reported by FlawFinder.
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(new_rdesc, rdesc, GEMBIRD_START_FAULTY_RDESC);
/* replace the faulty part with the fixed one */
memcpy(new_rdesc + GEMBIRD_START_FAULTY_RDESC,
gembird_jpd_fixed_rdesc,
sizeof(gembird_jpd_fixed_rdesc));
*rsize = new_size;
rdesc = new_rdesc;
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/cfg_space.c
3 issues
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* For other configuration space directly copy as it is. */
if (i < bytes)
memcpy(cfg_base + off + i, src + i, bytes - i);
if (off == vgpu->cfg_space.pmcsr_off && vgpu->cfg_space.pmcsr_off) {
pwr = (pci_power_t __force)(*(u16*)(&vgpu_cfg_space(vgpu)[off])
& PCI_PM_CTRL_STATE_MASK);
if (pwr == PCI_D3hot)
Reported by FlawFinder.
Line: 128
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset + bytes > vgpu->gvt->device_info.cfg_space_size))
return -EINVAL;
memcpy(p_data, vgpu_cfg_space(vgpu) + offset, bytes);
return 0;
}
static int map_aperture(struct intel_vgpu *vgpu, bool map)
{
Reported by FlawFinder.
Line: 382
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u16 *gmch_ctl;
u8 next;
memcpy(vgpu_cfg_space(vgpu), gvt->firmware.cfg_space,
info->cfg_space_size);
if (!primary) {
vgpu_cfg_space(vgpu)[PCI_CLASS_DEVICE] =
INTEL_GVT_PCI_CLASS_VGA_OTHER;
Reported by FlawFinder.