The following issues were found
drivers/gpu/drm/amd/amdgpu/amdgpu_pmu.c
3 issues
Line: 69
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
attr);
if (!amdgpu_pmu_attr->type)
return sprintf(buf, "%s\n", amdgpu_pmu_attr->event_str);
return sprintf(buf, "%s,type=0x%x\n",
amdgpu_pmu_attr->event_str, amdgpu_pmu_attr->type);
}
Reported by FlawFinder.
Line: 71
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!amdgpu_pmu_attr->type)
return sprintf(buf, "%s\n", amdgpu_pmu_attr->event_str);
return sprintf(buf, "%s,type=0x%x\n",
amdgpu_pmu_attr->event_str, amdgpu_pmu_attr->type);
}
static LIST_HEAD(amdgpu_pmu_list);
Reported by FlawFinder.
Line: 473
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
&pmu_entry->evt_attr_group,
NULL
};
char pmu_name[PMU_NAME_SIZE];
int ret = 0, total_num_events = 0;
pmu_entry->pmu = (struct pmu){
.event_init = amdgpu_perf_event_init,
.add = amdgpu_perf_add,
Reported by FlawFinder.
drivers/accessibility/speakup/i18n.c
3 issues
Line: 13
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "speakup.h"
#include "spk_priv.h"
static char *speakup_msgs[MSG_LAST_INDEX];
static char *speakup_default_msgs[MSG_LAST_INDEX] = {
[MSG_BLANK] = "blank",
[MSG_IAM_ALIVE] = "I'm aLive!",
[MSG_YOU_KILLED_SPEAKUP] = "You killed speakup!",
[MSG_HEY_THATS_BETTER] = "hey. That's better!",
Reported by FlawFinder.
Line: 14
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "spk_priv.h"
static char *speakup_msgs[MSG_LAST_INDEX];
static char *speakup_default_msgs[MSG_LAST_INDEX] = {
[MSG_BLANK] = "blank",
[MSG_IAM_ALIVE] = "I'm aLive!",
[MSG_YOU_KILLED_SPEAKUP] = "You killed speakup!",
[MSG_HEY_THATS_BETTER] = "hey. That's better!",
[MSG_YOU_TURNED_ME_OFF] = "You turned me off!",
Reported by FlawFinder.
Line: 612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Called at initialization time, to establish default messages. */
void spk_initialize_msgs(void)
{
memcpy(speakup_msgs, speakup_default_msgs,
sizeof(speakup_default_msgs));
}
/* Free user-supplied strings when module is unloaded: */
void spk_free_user_msgs(void)
Reported by FlawFinder.
drivers/firmware/efi/dev-path-parser.c
3 issues
Line: 18
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static long __init parse_acpi_path(const struct efi_dev_path *node,
struct device *parent, struct device **child)
{
char hid[ACPI_ID_LEN], uid[11]; /* UINT_MAX + null byte */
struct acpi_device *adev;
struct device *phys_dev;
if (node->header.length != 12)
return -EINVAL;
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (node->header.length != 12)
return -EINVAL;
sprintf(hid, "%c%c%c%04X",
'A' + ((node->acpi.hid >> 10) & 0x1f) - 1,
'A' + ((node->acpi.hid >> 5) & 0x1f) - 1,
'A' + ((node->acpi.hid >> 0) & 0x1f) - 1,
node->acpi.hid >> 16);
sprintf(uid, "%u", node->acpi.uid);
Reported by FlawFinder.
Line: 30
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
'A' + ((node->acpi.hid >> 5) & 0x1f) - 1,
'A' + ((node->acpi.hid >> 0) & 0x1f) - 1,
node->acpi.hid >> 16);
sprintf(uid, "%u", node->acpi.uid);
for_each_acpi_dev_match(adev, hid, NULL, -1) {
if (adev->pnp.unique_id && !strcmp(adev->pnp.unique_id, uid))
break;
if (!adev->pnp.unique_id && node->acpi.uid == 0)
Reported by FlawFinder.
crypto/xts.c
3 issues
Line: 160
Column: 11
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
}
static int xts_cts_final(struct skcipher_request *req,
int (*crypt)(struct skcipher_request *req))
{
const struct xts_tfm_ctx *ctx =
crypto_skcipher_ctx(crypto_skcipher_reqtfm(req));
int offset = req->cryptlen & ~(XTS_BLOCK_SIZE - 1);
struct xts_request_ctx *rctx = skcipher_request_ctx(req);
Reported by FlawFinder.
Line: 188
Column: 8
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
skcipher_request_set_crypt(subreq, rctx->tail, rctx->tail,
XTS_BLOCK_SIZE, NULL);
err = crypt(subreq);
if (err)
return err;
scatterwalk_map_and_copy(b, rctx->tail, 0, XTS_BLOCK_SIZE, 0);
le128_xor(b, &rctx->t, b);
Reported by FlawFinder.
Line: 31
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct xts_instance_ctx {
struct crypto_skcipher_spawn spawn;
char name[CRYPTO_MAX_ALG_NAME];
};
struct xts_request_ctx {
le128 t;
struct scatterlist *tail;
Reported by FlawFinder.
crypto/xcbc.c
3 issues
Line: 99
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* checking the data can fill the block */
if ((ctx->len + len) <= bs) {
memcpy(odds + ctx->len, p, len);
ctx->len += len;
return 0;
}
/* filling odds with new data and encrypting it */
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* filling odds with new data and encrypting it */
memcpy(odds + ctx->len, p, bs - ctx->len);
len -= bs - ctx->len;
p += bs - ctx->len;
crypto_xor(prev, odds, bs);
crypto_cipher_encrypt_one(tfm, prev, prev);
Reported by FlawFinder.
Line: 125
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* keeping the surplus of blocksize */
if (len) {
memcpy(odds, p, len);
ctx->len = len;
}
return 0;
}
Reported by FlawFinder.
drivers/devfreq/event/rockchip-dfi.c
3 issues
Line: 41
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#define DDRMON_CH1_DFI_ACCESS_NUM 0x40
struct dmc_usage {
u32 access;
u32 total;
};
/*
* The dfi controller can monitor DDR load. It has an upper and lower threshold
Reported by FlawFinder.
Line: 108
Column: 27
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
DDRMON_CH0_DFI_ACCESS_NUM + i * 20) * 4;
info->ch_usage[i].total = readl_relaxed(dfi_regs +
DDRMON_CH0_COUNT_NUM + i * 20);
tmp = info->ch_usage[i].access;
if (tmp > max) {
busier_ch = i;
max = tmp;
}
}
Reported by FlawFinder.
Line: 157
Column: 48
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
busier_ch = rockchip_dfi_get_busier_ch(edev);
edata->load_count = info->ch_usage[busier_ch].access;
edata->total_count = info->ch_usage[busier_ch].total;
return 0;
}
Reported by FlawFinder.
drivers/crypto/amlogic/amlogic-gxl-cipher.c
3 issues
Line: 126
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!bkeyiv)
return -ENOMEM;
memcpy(bkeyiv, op->key, op->keylen);
keyivlen = op->keylen;
ivsize = crypto_skcipher_ivsize(tfm);
if (areq->iv && ivsize > 0) {
if (ivsize > areq->cryptlen) {
Reported by FlawFinder.
Line: 136
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -EINVAL;
goto theend;
}
memcpy(bkeyiv + 32, areq->iv, ivsize);
keyivlen = 48;
if (rctx->op_dir == MESON_DECRYPT) {
backup_iv = kzalloc(ivsize, GFP_KERNEL);
if (!backup_iv) {
err = -ENOMEM;
Reported by FlawFinder.
Line: 247
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (areq->iv && ivsize > 0) {
if (rctx->op_dir == MESON_DECRYPT) {
memcpy(areq->iv, backup_iv, ivsize);
} else {
scatterwalk_map_and_copy(areq->iv, areq->dst,
areq->cryptlen - ivsize,
ivsize, 0);
}
Reported by FlawFinder.
drivers/comedi/drivers/ni_tiocmd.c
3 issues
Line: 39
Column: 24
CWE codes:
120
20
#include "ni_routes.h"
static void ni_tio_configure_dma(struct ni_gpct *counter,
bool enable, bool read)
{
struct ni_gpct_device *counter_dev = counter->counter_dev;
unsigned int cidx = counter->counter_index;
unsigned int mask;
unsigned int bits;
Reported by FlawFinder.
Line: 50
Column: 7
CWE codes:
120
20
bits = 0;
if (enable) {
if (read)
bits |= GI_READ_ACKS_IRQ;
else
bits |= GI_WRITE_ACKS_IRQ;
}
ni_tio_set_bits(counter, NITIO_INPUT_SEL_REG(cidx), mask, bits);
Reported by FlawFinder.
Line: 67
Column: 8
CWE codes:
120
20
if (enable)
bits |= GI_DMA_ENABLE | GI_DMA_INT_ENA;
if (!read)
bits |= GI_DMA_WRITE;
ni_tio_set_bits(counter, NITIO_DMA_CFG_REG(cidx), mask, bits);
break;
}
}
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
3 issues
Line: 236
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned wptr_offs;
unsigned fence_offs;
uint64_t current_ctx;
char name[16];
u32 trail_seq;
unsigned trail_fence_offs;
u64 trail_fence_gpu_addr;
volatile u32 *trail_fence_cpu_addr;
unsigned cond_exe_offs;
Reported by FlawFinder.
Line: 337
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chunk2 <<= 2;
if (chunk1)
memcpy(dst, src, chunk1);
if (chunk2) {
src += chunk1;
dst = (void *)ring->ring;
memcpy(dst, src, chunk2);
Reported by FlawFinder.
Line: 342
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (chunk2) {
src += chunk1;
dst = (void *)ring->ring;
memcpy(dst, src, chunk2);
}
ring->wptr += count_dw;
ring->wptr &= ring->ptr_mask;
ring->count_dw -= count_dw;
Reported by FlawFinder.
drivers/acpi/acpica/nsxfname.c
3 issues
Line: 106
return (status);
}
ACPI_EXPORT_SYMBOL(acpi_get_handle)
/******************************************************************************
*
* FUNCTION: acpi_get_name
*
Reported by Cppcheck.
Line: 193
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy actual string and return a pointer to the next string area */
memcpy(string_area, source->string, source->length);
return (string_area + source->length);
}
/******************************************************************************
*
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the method AML to the local buffer */
memcpy(aml_buffer, aml_start, aml_length);
/* Initialize the method object with the new method's information */
method_obj->method.aml_start = aml_buffer;
method_obj->method.aml_length = aml_length;
Reported by FlawFinder.