The following issues were found
drivers/acpi/apei/einj.c
3 issues
Line: 75
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u32 vendor_flags;
static struct debugfs_blob_wrapper vendor_blob;
static char vendor_dev[64];
/*
* Some BIOSes allow parameters to the SET_ERROR_TYPE entries in the
* EINJ table through an unpublished extension. Use with caution as
* most will ignore the parameter and make their own choice of address
Reported by FlawFinder.
Line: 197
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!v)
return;
sbdf = v->pcie_sbdf;
sprintf(vendor_dev, "%x:%x:%x.%x vendor_id=%x device_id=%x rev_id=%x\n",
sbdf >> 24, (sbdf >> 16) & 0xff,
(sbdf >> 11) & 0x1f, (sbdf >> 8) & 0x7,
v->vendor_id, v->device_id, v->rev_id);
acpi_os_unmap_iomem(v, sizeof(*v));
}
Reported by FlawFinder.
Line: 746
Column: 22
CWE codes:
126
if (vendor_dev[0]) {
vendor_blob.data = vendor_dev;
vendor_blob.size = strlen(vendor_dev);
debugfs_create_blob("vendor", S_IRUSR, einj_debug_dir,
&vendor_blob);
debugfs_create_x32("vendor_flags", S_IRUSR | S_IWUSR,
einj_debug_dir, &vendor_flags);
}
Reported by FlawFinder.
drivers/acpi/acpica/exprep.c
3 issues
Line: 198
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
acpi_ex_decode_field_access(union acpi_operand_object *obj_desc,
u8 field_flags, u32 * return_byte_alignment)
{
u32 access;
u32 byte_alignment;
u32 bit_length;
ACPI_FUNCTION_TRACE(ex_decode_field_access);
Reported by FlawFinder.
Line: 206
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access = (field_flags & AML_FIELD_ACCESS_TYPE_MASK);
switch (access) {
case AML_FIELD_ACCESS_ANY:
#ifdef ACPI_UNDER_DEVELOPMENT
byte_alignment =
acpi_ex_generate_access(obj_desc->common_field.
Reported by FlawFinder.
Line: 253
Column: 58
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* Invalid field access type */
ACPI_ERROR((AE_INFO, "Unknown field access type 0x%X", access));
return_UINT32(0);
}
if (obj_desc->common.type == ACPI_TYPE_BUFFER_FIELD) {
Reported by FlawFinder.
drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
3 issues
Line: 1561
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
CURR_SCLK_INDEX);
for (i = 0; i < sclk_table->count; i++)
size += sprintf(buf + size, "%d: %uMhz %s\n",
i, sclk_table->entries[i].clk / 100,
(i == now) ? "*" : "");
break;
case PP_MCLK:
now = PHM_GET_FIELD(cgs_read_ind_register(hwmgr->device,
Reported by FlawFinder.
Line: 1573
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
CURR_MCLK_INDEX);
for (i = SMU8_NUM_NBPMEMORYCLOCK; i > 0; i--)
size += sprintf(buf + size, "%d: %uMhz %s\n",
SMU8_NUM_NBPMEMORYCLOCK-i, data->sys_info.nbp_memory_clock[i-1] / 100,
(SMU8_NUM_NBPMEMORYCLOCK-i == now) ? "*" : "");
break;
default:
break;
Reported by FlawFinder.
Line: 1847
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct smu8_hwmgr *data = hwmgr->backend;
memcpy(thermal_data, &SMU7ThermalPolicy[0], sizeof(struct PP_TemperatureRange));
thermal_data->max = (data->thermal_auto_throttling_treshold +
data->sys_info.htc_hyst_lmt) *
PP_TEMPERATURE_UNITS_PER_CENTIGRADES;
Reported by FlawFinder.
drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
3 issues
Line: 327
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static unsigned char analogix_dp_get_lane_status(u8 link_status[2], int lane)
{
int shift = (lane & 1) * 4;
u8 link_value = link_status[lane >> 1];
return (link_value >> shift) & 0xf;
Reported by FlawFinder.
Line: 367
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static unsigned char
analogix_dp_get_adjust_request_voltage(u8 adjust_request[2], int lane)
{
int shift = (lane & 1) * 4;
u8 link_value = adjust_request[lane >> 1];
Reported by FlawFinder.
Line: 376
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return (link_value >> shift) & 0x3;
}
static unsigned char analogix_dp_get_adjust_request_pre_emphasis(
u8 adjust_request[2],
int lane)
{
int shift = (lane & 1) * 4;
u8 link_value = adjust_request[lane >> 1];
Reported by FlawFinder.
crypto/ecrdsa.c
3 issues
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
unsigned char sig[ECRDSA_MAX_SIG_SIZE];
unsigned char digest[STREEBOG512_DIGEST_SIZE];
unsigned int ndigits = req->dst_len / sizeof(u64);
u64 r[ECRDSA_MAX_DIGITS]; /* witness (r) */
u64 _r[ECRDSA_MAX_DIGITS]; /* -r */
u64 s[ECRDSA_MAX_DIGITS]; /* second part of sig (s) */
Reported by FlawFinder.
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
unsigned char sig[ECRDSA_MAX_SIG_SIZE];
unsigned char digest[STREEBOG512_DIGEST_SIZE];
unsigned int ndigits = req->dst_len / sizeof(u64);
u64 r[ECRDSA_MAX_DIGITS]; /* witness (r) */
u64 _r[ECRDSA_MAX_DIGITS]; /* -r */
u64 s[ECRDSA_MAX_DIGITS]; /* second part of sig (s) */
u64 e[ECRDSA_MAX_DIGITS]; /* h \mod q */
Reported by FlawFinder.
Line: 186
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static u8 *ecrdsa_unpack_u32(u32 *dst, void *src)
{
memcpy(dst, src, sizeof(u32));
return src + sizeof(u32);
}
/* Parse BER encoded subjectPublicKey. */
static int ecrdsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
Reported by FlawFinder.
crypto/echainiv.c
3 issues
Line: 65
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->cryptlen, info);
aead_request_set_ad(subreq, req->assoclen);
memcpy(&nseqno, info + ivsize - 8, 8);
seqno = be64_to_cpu(nseqno);
memset(info, 0, ivsize);
scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
u64 a;
memcpy(&a, ctx->salt + ivsize - 8, 8);
a |= 1;
a *= seqno;
memcpy(info + ivsize - 8, &a, 8);
Reported by FlawFinder.
Line: 79
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
a |= 1;
a *= seqno;
memcpy(info + ivsize - 8, &a, 8);
} while ((ivsize -= 8));
return crypto_aead_encrypt(subreq);
}
Reported by FlawFinder.
crypto/ecdsa.c
3 issues
Line: 69
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(rs, 0, -diff);
}
memcpy(&rs[-diff], d, vlen);
ecc_swap_digits((u64 *)rs, dest, ndigits);
return 0;
}
Reported by FlawFinder.
Line: 172
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (diff >= 0) {
if (diff)
memset(rawhash, 0, diff);
memcpy(&rawhash[diff], buffer + req->src_len, req->dst_len);
} else if (diff < 0) {
/* given hash is longer, we take the left-most bytes */
memcpy(&rawhash, buffer + req->src_len, keylen);
}
Reported by FlawFinder.
Line: 175
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&rawhash[diff], buffer + req->src_len, req->dst_len);
} else if (diff < 0) {
/* given hash is longer, we take the left-most bytes */
memcpy(&rawhash, buffer + req->src_len, keylen);
}
ecc_swap_digits((u64 *)rawhash, hash, ctx->curve->g.ndigits);
ret = _ecdsa_verify(ctx, hash, sig_ctx.r, sig_ctx.s);
Reported by FlawFinder.
crypto/wp512.c
3 issues
Line: 1087
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&buffer[bufferPos], 0,
(WP512_BLOCK_SIZE - WP512_LENGTHBYTES) - bufferPos);
bufferPos = WP512_BLOCK_SIZE - WP512_LENGTHBYTES;
memcpy(&buffer[WP512_BLOCK_SIZE - WP512_LENGTHBYTES],
bitLength, WP512_LENGTHBYTES);
wp512_process_buffer(wctx);
for (i = 0; i < WP512_DIGEST_SIZE/8; i++)
digest[i] = cpu_to_be64(wctx->hash[i]);
wctx->bufferBits = bufferBits;
Reported by FlawFinder.
Line: 1103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 D[64];
wp512_final(desc, D);
memcpy(out, D, WP384_DIGEST_SIZE);
memzero_explicit(D, WP512_DIGEST_SIZE);
return 0;
}
Reported by FlawFinder.
Line: 1114
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 D[64];
wp512_final(desc, D);
memcpy(out, D, WP256_DIGEST_SIZE);
memzero_explicit(D, WP512_DIGEST_SIZE);
return 0;
}
Reported by FlawFinder.
drivers/gpu/drm/amd/pm/powerplay/si_dpm.c
3 issues
Line: 7609
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int si_dpm_init_microcode(struct amdgpu_device *adev)
{
const char *chip_name;
char fw_name[30];
int err;
DRM_DEBUG("\n");
switch (adev->asic_type) {
case CHIP_TAHITI:
Reported by FlawFinder.
Line: 7940
Column: 11
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
static int si_check_state_equal(void *handle,
void *current_ps,
void *request_ps,
bool *equal)
{
struct si_ps *si_cps;
struct si_ps *si_rps;
int i;
struct amdgpu_ps *cps = (struct amdgpu_ps *)current_ps;
Reported by FlawFinder.
Line: 7976
Column: 3
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
/* If all performance levels are the same try to use the UVD clocks to break the tie.*/
*equal = ((cps->vclk == rps->vclk) && (cps->dclk == rps->dclk));
*equal &= ((cps->evclk == rps->evclk) && (cps->ecclk == rps->ecclk));
return 0;
}
static int si_dpm_read_sensor(void *handle, int idx,
Reported by FlawFinder.
drivers/fpga/dfl-afu-error.c
3 issues
Line: 128
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
error = readq(base + PORT_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)error);
}
static ssize_t errors_store(struct device *dev, struct device_attribute *attr,
const char *buff, size_t count)
{
Reported by FlawFinder.
Line: 159
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
error = readq(base + PORT_FIRST_ERROR);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%llx\n", (unsigned long long)error);
}
static DEVICE_ATTR_RO(first_error);
static ssize_t first_malformed_req_show(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 178
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
req1 = readq(base + PORT_MALFORMED_REQ1);
mutex_unlock(&pdata->lock);
return sprintf(buf, "0x%016llx%016llx\n",
(unsigned long long)req1, (unsigned long long)req0);
}
static DEVICE_ATTR_RO(first_malformed_req);
static struct attribute *port_err_attrs[] = {
Reported by FlawFinder.