The following issues were found
drivers/crypto/xilinx/zynqmp-aes-gcm.c
3 issues
Line: 111
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data_size = req->cryptlen;
scatterwalk_map_and_copy(kbuf, req->src, 0, req->cryptlen, 0);
memcpy(kbuf + data_size, req->iv, GCM_AES_IV_SIZE);
hwreq->src = dma_addr_data;
hwreq->dst = dma_addr_data;
hwreq->iv = hwreq->src + data_size;
hwreq->keysrc = tfm_ctx->keysrc;
Reported by FlawFinder.
Line: 125
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hwreq->size = data_size - ZYNQMP_AES_AUTH_SIZE;
if (hwreq->keysrc == ZYNQMP_AES_KUP_KEY) {
memcpy(kbuf + data_size + GCM_AES_IV_SIZE,
tfm_ctx->key, ZYNQMP_AES_KEY_SIZE);
hwreq->key = hwreq->src + data_size + GCM_AES_IV_SIZE;
} else {
hwreq->key = 0;
Reported by FlawFinder.
Line: 259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tfm_ctx->keylen = keylen;
if (keylen == ZYNQMP_AES_KEY_SIZE) {
tfm_ctx->keysrc = ZYNQMP_AES_KUP_KEY;
memcpy(tfm_ctx->key, key, keylen);
}
}
tfm_ctx->fbk_cipher->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK;
tfm_ctx->fbk_cipher->base.crt_flags |= (aead->base.crt_flags &
Reported by FlawFinder.
drivers/acpi/proc.c
3 issues
Line: 104
Column: 2
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
if (copy_from_user(strbuf, buffer, count))
return -EFAULT;
strbuf[count] = '\0';
sscanf(strbuf, "%s", str);
mutex_lock(&acpi_device_lock);
list_for_each_entry_safe(dev, tmp, &acpi_wakeup_device_list,
wakeup_list) {
if (!dev->wakeup.flags.valid)
Reported by FlawFinder.
Line: 95
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t * ppos)
{
struct acpi_device *dev, *tmp;
char strbuf[5];
char str[5] = "";
if (count > 4)
count = 4;
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct acpi_device *dev, *tmp;
char strbuf[5];
char str[5] = "";
if (count > 4)
count = 4;
if (copy_from_user(strbuf, buffer, count))
Reported by FlawFinder.
drivers/comedi/comedi_fops.c
3 issues
Line: 2411
Column: 16
CWE codes:
362
vma->vm_ops = &comedi_vm_ops;
vma->vm_private_data = bm;
vma->vm_ops->open(vma);
}
done:
up_read(&dev->attach_lock);
comedi_buf_map_put(bm); /* put reference to buf map - okay if NULL */
Reported by FlawFinder.
Line: 2765
Column: 12
CWE codes:
362
rc = -ENXIO;
goto out;
}
if (dev->open) {
rc = dev->open(dev);
if (rc < 0) {
module_put(dev->driver->module);
goto out;
}
Reported by FlawFinder.
Line: 2766
Column: 14
CWE codes:
362
goto out;
}
if (dev->open) {
rc = dev->open(dev);
if (rc < 0) {
module_put(dev->driver->module);
goto out;
}
}
Reported by FlawFinder.
drivers/clk/clk-si5341.c
3 issues
Line: 76
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk_si5341_synth synth[SI5341_NUM_SYNTH];
struct clk_si5341_output clk[SI5341_MAX_NUM_OUTPUTS];
struct clk *input_clk[SI5341_NUM_INPUTS];
const char *input_clk_name[SI5341_NUM_INPUTS];
const u16 *reg_output_offset;
const u16 *reg_rdiv_offset;
u64 freq_vco; /* 13500–14256 MHz */
u8 num_outputs;
u8 num_synth;
Reported by FlawFinder.
Line: 1555
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk_init_data init;
struct clk *input;
const char *root_clock_name;
const char *synth_clock_names[SI5341_NUM_SYNTH];
int err;
unsigned int i;
struct clk_si5341_output_config config[SI5341_MAX_NUM_OUTPUTS];
bool initialization_required;
u32 status;
Reported by FlawFinder.
Line: 1586
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) {
char reg_name[10];
snprintf(reg_name, sizeof(reg_name), "vddo%d", i);
data->clk[i].vddo_reg = devm_regulator_get_optional(
&client->dev, reg_name);
if (IS_ERR(data->clk[i].vddo_reg)) {
Reported by FlawFinder.
drivers/crypto/ccp/ccp-crypto-des3.c
3 issues
Line: 31
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
if (ctx->u.des3.mode != CCP_DES3_MODE_ECB)
memcpy(req->iv, rctx->iv, DES3_EDE_BLOCK_SIZE);
return 0;
}
static int ccp_des3_setkey(struct crypto_skcipher *tfm, const u8 *key,
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->u.des3.mode = alg->mode;
ctx->u.des3.key_len = key_len;
memcpy(ctx->u.des3.key, key, key_len);
sg_init_one(&ctx->u.des3.key_sg, ctx->u.des3.key, key_len);
return 0;
}
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!req->iv)
return -EINVAL;
memcpy(rctx->iv, req->iv, DES3_EDE_BLOCK_SIZE);
iv_sg = &rctx->iv_sg;
iv_len = DES3_EDE_BLOCK_SIZE;
sg_init_one(iv_sg, rctx->iv, iv_len);
}
Reported by FlawFinder.
drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
3 issues
Line: 199
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if (!has_bit(idx, state->affected_inputs) ||
memcmp(&state->inputs[idx], input, sizeof(*input))) {
memcpy(&state->inputs[idx], input, sizeof(*input));
state->changed_active_inputs |= BIT(idx);
}
state->active_inputs |= BIT(idx);
state->affected_inputs |= BIT(idx);
}
Reported by FlawFinder.
Line: 954
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bool flip_h = has_flip_h(dflow->rot);
u32 l_out, r_out, overlap;
memcpy(l_dflow, dflow, sizeof(*dflow));
memcpy(r_dflow, dflow, sizeof(*dflow));
l_dflow->right_part = false;
r_dflow->right_part = true;
r_dflow->blending_zorder = dflow->blending_zorder + 1;
Reported by FlawFinder.
Line: 955
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 l_out, r_out, overlap;
memcpy(l_dflow, dflow, sizeof(*dflow));
memcpy(r_dflow, dflow, sizeof(*dflow));
l_dflow->right_part = false;
r_dflow->right_part = true;
r_dflow->blending_zorder = dflow->blending_zorder + 1;
Reported by FlawFinder.
drivers/gpu/drm/amd/include/atom-names.h
3 issues
Line: 33
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef ATOM_DEBUG
#define ATOM_OP_NAMES_CNT 123
static char *atom_op_names[ATOM_OP_NAMES_CNT] = {
"RESERVED", "MOVE_REG", "MOVE_PS", "MOVE_WS", "MOVE_FB", "MOVE_PLL",
"MOVE_MC", "AND_REG", "AND_PS", "AND_WS", "AND_FB", "AND_PLL", "AND_MC",
"OR_REG", "OR_PS", "OR_WS", "OR_FB", "OR_PLL", "OR_MC", "SHIFT_LEFT_REG",
"SHIFT_LEFT_PS", "SHIFT_LEFT_WS", "SHIFT_LEFT_FB", "SHIFT_LEFT_PLL",
"SHIFT_LEFT_MC", "SHIFT_RIGHT_REG", "SHIFT_RIGHT_PS", "SHIFT_RIGHT_WS",
Reported by FlawFinder.
Line: 59
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#define ATOM_TABLE_NAMES_CNT 74
static char *atom_table_names[ATOM_TABLE_NAMES_CNT] = {
"ASIC_Init", "GetDisplaySurfaceSize", "ASIC_RegistersInit",
"VRAM_BlockVenderDetection", "SetClocksRatio", "MemoryControllerInit",
"GPIO_PinInit", "MemoryParamAdjust", "DVOEncoderControl",
"GPIOPinControl", "SetEngineClock", "SetMemoryClock", "SetPixelClock",
"DynamicClockGating", "ResetMemoryDLL", "ResetMemoryDevice",
Reported by FlawFinder.
Line: 88
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#define ATOM_IO_NAMES_CNT 5
static char *atom_io_names[ATOM_IO_NAMES_CNT] = {
"MM", "PLL", "MC", "PCIE", "PCIE PORT",
};
#else
Reported by FlawFinder.
drivers/comedi/drivers/ni_tio.c
3 issues
Line: 165
Column: 32
CWE codes:
120
20
unsigned int ni_tio_read(struct ni_gpct *counter, enum ni_gpct_register reg)
{
if (reg < NITIO_NUM_REGS)
return counter->counter_dev->read(counter, reg);
return 0;
}
EXPORT_SYMBOL_GPL(ni_tio_read);
static void ni_tio_reset_count_and_disarm(struct ni_gpct *counter)
Reported by FlawFinder.
Line: 1767
Column: 20
CWE codes:
120
20
void (*write)(struct ni_gpct *counter,
unsigned int value,
enum ni_gpct_register reg),
unsigned int (*read)(struct ni_gpct *counter,
enum ni_gpct_register reg),
enum ni_gpct_variant variant,
unsigned int num_counters,
unsigned int counters_per_chip,
const struct ni_route_tables *routing_tables)
Reported by FlawFinder.
Line: 1787
Column: 22
CWE codes:
120
20
counter_dev->dev = dev;
counter_dev->write = write;
counter_dev->read = read;
counter_dev->variant = variant;
counter_dev->routing_tables = routing_tables;
spin_lock_init(&counter_dev->regs_lock);
Reported by FlawFinder.
drivers/gpu/drm/amd/include/atomfirmware.h
3 issues
Line: 2771
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint8_t refreshrate; // [1:0]=RefreshFactor (00=8ms, 01=16ms, 10=32ms,11=64ms)
uint8_t hbm_ven_rev_id; // hbm_ven_rev_id
uint8_t vram_rsd2; // reserved
char dram_pnstring[20]; // part number end with '0'.
};
struct atom_vram_info_header_v2_3 {
struct atom_common_table_header table_header;
uint16_t mem_adjust_tbloffset; // offset of atom_umc_init_reg_block structure for memory vendor specific UMC adjust setting
Reported by FlawFinder.
Line: 2853
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint16_t gddr6_mr1; // gddr6 mode register1 value
uint16_t gddr6_mr2; // gddr6 mode register2 value
uint16_t gddr6_mr7; // gddr6 mode register7 value
char dram_pnstring[20]; // part number end with '0'
};
struct atom_vram_info_header_v2_4 {
struct atom_common_table_header table_header;
uint16_t mem_adjust_tbloffset; // offset of atom_umc_init_reg_block structure for memory vendor specific UMC adjust setting
Reported by FlawFinder.
Line: 2897
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint16_t gddr6_mr4; // gddr6 mode register4 value
uint16_t gddr6_mr7; // gddr6 mode register7 value
uint16_t gddr6_mr8; // gddr6 mode register8 value
char dram_pnstring[40]; // part number end with '0'.
};
struct atom_gddr6_ac_timing_v2_5 {
uint32_t u32umc_id_access;
uint8_t RL;
Reported by FlawFinder.
drivers/dax/super.c
3 issues
Line: 76
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
bool dax_enabled = false;
pgoff_t pgoff, pgoff_end;
char buf[BDEVNAME_SIZE];
void *kaddr, *end_kaddr;
pfn_t pfn, end_pfn;
sector_t last_page;
long len, len2;
int err, id;
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dax_device *dax_dev;
struct request_queue *q;
char buf[BDEVNAME_SIZE];
bool ret;
int id;
q = bdev_get_queue(bdev);
if (!q || !blk_queue_dax(q)) {
Reported by FlawFinder.
Line: 239
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!dax_dev)
return -ENXIO;
rc = sprintf(buf, "%d\n", !!dax_write_cache_enabled(dax_dev));
put_dax(dax_dev);
return rc;
}
static ssize_t write_cache_store(struct device *dev,
Reported by FlawFinder.