The following issues were found
drivers/gpu/drm/drm_debugfs.c
3 issues
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dentry *root)
{
struct drm_device *dev = minor->dev;
char name[64];
INIT_LIST_HEAD(&minor->debugfs_list);
mutex_init(&minor->debugfs_lock);
sprintf(name, "%d", minor_id);
minor->debugfs_root = debugfs_create_dir(name, root);
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
INIT_LIST_HEAD(&minor->debugfs_list);
mutex_init(&minor->debugfs_lock);
sprintf(name, "%d", minor_id);
minor->debugfs_root = debugfs_create_dir(name, root);
drm_debugfs_create_files(drm_debugfs_list, DRM_DEBUGFS_ENTRIES,
minor->debugfs_root, minor);
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct seq_file *m = file->private_data;
struct drm_connector *connector = m->private;
char buf[12];
if (len > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, ubuf, len))
Reported by FlawFinder.
drivers/fpga/dfl.c
3 issues
Line: 42
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct lock_class_key dfl_pdata_keys[DFL_ID_MAX];
static const char *dfl_pdata_key_strings[DFL_ID_MAX] = {
"dfl-fme-pdata",
"dfl-port-pdata",
};
/**
Reported by FlawFinder.
Line: 311
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dfl_device *ddev = to_dfl_dev(dev);
return sprintf(buf, "0x%x\n", ddev->type);
}
static DEVICE_ATTR_RO(type);
static ssize_t
feature_id_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 320
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dfl_device *ddev = to_dfl_dev(dev);
return sprintf(buf, "0x%x\n", ddev->feature_id);
}
static DEVICE_ATTR_RO(feature_id);
static struct attribute *dfl_dev_attrs[] = {
&dev_attr_type.attr,
Reported by FlawFinder.
drivers/fpga/fpga-bridge.c
3 issues
Line: 289
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct fpga_bridge *bridge = to_fpga_bridge(dev);
return sprintf(buf, "%s\n", bridge->name);
}
static ssize_t state_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 301
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (bridge->br_ops && bridge->br_ops->enable_show)
enable = bridge->br_ops->enable_show(bridge);
return sprintf(buf, "%s\n", enable ? "enabled" : "disabled");
}
static DEVICE_ATTR_RO(name);
static DEVICE_ATTR_RO(state);
Reported by FlawFinder.
Line: 333
Column: 16
CWE codes:
126
struct fpga_bridge *bridge;
int id, ret;
if (!name || !strlen(name)) {
dev_err(parent, "Attempt to register with no name!\n");
return NULL;
}
bridge = kzalloc(sizeof(*bridge), GFP_KERNEL);
Reported by FlawFinder.
drivers/dma/dmaengine.c
3 issues
Line: 175
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (chan) {
for_each_possible_cpu(i)
count += per_cpu_ptr(chan->local, i)->memcpy_count;
err = sprintf(buf, "%lu\n", count);
} else
err = -ENODEV;
mutex_unlock(&dma_list_mutex);
return err;
Reported by FlawFinder.
Line: 197
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (chan) {
for_each_possible_cpu(i)
count += per_cpu_ptr(chan->local, i)->bytes_transferred;
err = sprintf(buf, "%lu\n", count);
} else
err = -ENODEV;
mutex_unlock(&dma_list_mutex);
return err;
Reported by FlawFinder.
Line: 215
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_lock(&dma_list_mutex);
chan = dev_to_dma_chan(dev);
if (chan)
err = sprintf(buf, "%d\n", chan->client_count);
else
err = -ENODEV;
mutex_unlock(&dma_list_mutex);
return err;
Reported by FlawFinder.
drivers/comedi/drivers/comedi_bond.c
3 issues
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct comedi_bond_private {
char name[256];
struct bonded_device **devs;
unsigned int ndevs;
unsigned int nchans;
};
Reported by FlawFinder.
Line: 182
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* building our device list.
*/
for (i = 0; i < COMEDI_NDEVCONFOPTS && (!i || it->options[i]); ++i) {
char file[sizeof("/dev/comediXXXXXX")];
int minor = it->options[i];
struct comedi_device *d;
int sdev = -1, nchans;
struct bonded_device *bdev;
struct bonded_device **devs;
Reported by FlawFinder.
Line: 255
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
devpriv->devs[devpriv->ndevs++] = bdev;
{
/* Append dev:subdev to devpriv->name */
char buf[20];
snprintf(buf, sizeof(buf), "%u:%u ",
bdev->minor, bdev->subdev);
strlcat(devpriv->name, buf,
sizeof(devpriv->name));
Reported by FlawFinder.
drivers/acpi/acpi_ipmi.c
3 issues
Line: 273
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
msg->data_len = buffer->length;
memcpy(tx_msg->data, buffer->data, msg->data_len);
/*
* now the default type is SYSTEM_INTERFACE and channel type is BMC.
* If the netfn is APP_REQUEST and the cmd is SEND_MESSAGE,
* the addr type should be changed to IPMB. Then we will have to parse
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* will be ACPI_IPMI_OK
*/
buffer->length = msg->rx_len;
memcpy(buffer->data, msg->data, msg->rx_len);
}
static void ipmi_flush_tx_msg(struct acpi_ipmi_device *ipmi)
{
struct acpi_ipmi_msg *tx_msg;
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
tx_msg->rx_len = msg->msg.data_len;
memcpy(tx_msg->data, msg->msg.data, tx_msg->rx_len);
tx_msg->msg_done = ACPI_IPMI_OK;
out_comp:
complete(&tx_msg->tx_complete);
acpi_ipmi_msg_put(tx_msg);
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c
3 issues
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gfx_v6_0_init_microcode(struct amdgpu_device *adev)
{
const char *chip_name;
char fw_name[30];
int err;
const struct gfx_firmware_header_v1_0 *cp_hdr;
const struct rlc_firmware_header_v1_0 *rlc_hdr;
DRM_DEBUG("\n");
Reported by FlawFinder.
Line: 3113
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < adev->gfx.num_gfx_rings; i++) {
ring = &adev->gfx.gfx_ring[i];
ring->ring_obj = NULL;
sprintf(ring->name, "gfx");
r = amdgpu_ring_init(adev, ring, 1024,
&adev->gfx.eop_irq,
AMDGPU_CP_IRQ_GFX_ME0_PIPE0_EOP,
AMDGPU_RING_PRIO_DEFAULT, NULL);
if (r)
Reported by FlawFinder.
Line: 3136
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ring->me = 1;
ring->pipe = i;
ring->queue = i;
sprintf(ring->name, "comp_%d.%d.%d", ring->me, ring->pipe, ring->queue);
irq_type = AMDGPU_CP_IRQ_COMPUTE_MEC1_PIPE0_EOP + ring->pipe;
r = amdgpu_ring_init(adev, ring, 1024,
&adev->gfx.eop_irq, irq_type,
AMDGPU_RING_PRIO_DEFAULT, NULL);
if (r)
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c
3 issues
Line: 905
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int gfx_v7_0_init_microcode(struct amdgpu_device *adev)
{
const char *chip_name;
char fw_name[30];
int err;
DRM_DEBUG("\n");
switch (adev->asic_type) {
Reported by FlawFinder.
Line: 4432
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ring->ring_obj = NULL;
ring->use_doorbell = true;
ring->doorbell_index = adev->doorbell_index.mec_ring0 + ring_id;
sprintf(ring->name, "comp_%d.%d.%d", ring->me, ring->pipe, ring->queue);
irq_type = AMDGPU_CP_IRQ_COMPUTE_MEC1_PIPE0_EOP
+ ((ring->me - 1) * adev->gfx.mec.num_pipe_per_mec)
+ ring->pipe;
Reported by FlawFinder.
Line: 4511
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < adev->gfx.num_gfx_rings; i++) {
ring = &adev->gfx.gfx_ring[i];
ring->ring_obj = NULL;
sprintf(ring->name, "gfx");
r = amdgpu_ring_init(adev, ring, 1024,
&adev->gfx.eop_irq,
AMDGPU_CP_IRQ_GFX_ME0_PIPE0_EOP,
AMDGPU_RING_PRIO_DEFAULT, NULL);
if (r)
Reported by FlawFinder.
drivers/cpufreq/acpi-cpufreq.c
3 issues
Line: 175
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t show_cpb(struct cpufreq_policy *policy, char *buf)
{
return sprintf(buf, "%u\n", acpi_cpufreq_driver.boost_enabled);
}
cpufreq_freq_attr_rw(cpb);
#endif
Reported by FlawFinder.
Line: 294
Column: 9
CWE codes:
120
20
u32 val;
union {
void (*write)(struct acpi_pct_register *reg, u32 val);
u32 (*read)(struct acpi_pct_register *reg);
} func;
};
/* Called via smp_call_function_single(), on the target CPU */
static void do_drv_read(void *_cmd)
Reported by FlawFinder.
Line: 303
Column: 23
CWE codes:
120
20
{
struct drv_cmd *cmd = _cmd;
cmd->val = cmd->func.read(cmd->reg);
}
static u32 drv_read(struct acpi_cpufreq_data *data, const struct cpumask *mask)
{
struct acpi_processor_performance *perf = to_perf_data(data);
Reported by FlawFinder.
drivers/char/tpm/tpm_ftpm_tee.c
3 issues
Line: 57
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy(buf, pvt_data->resp_buf, len);
pvt_data->resp_len = 0;
return len;
}
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return PTR_ERR(temp_buf);
}
memset(temp_buf, 0, (MAX_COMMAND_SIZE + MAX_RESPONSE_SIZE));
memcpy(temp_buf, buf, len);
command_params[1] = (struct tee_param) {
.attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT,
.u.memref = {
.shm = shm,
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* sanity checks look good, cache the response */
memcpy(pvt_data->resp_buf, temp_buf, resp_len);
pvt_data->resp_len = resp_len;
return 0;
}
Reported by FlawFinder.