The following issues were found
drivers/firmware/efi/libstub/file.c
3 issues
Line: 47
Column: 19
CWE codes:
362
unsigned long info_sz;
efi_status_t status;
status = volume->open(volume, &fh, fi->filename, EFI_FILE_MODE_READ, 0);
if (status != EFI_SUCCESS) {
efi_err("Failed to open file: %ls\n", fi->filename);
return status;
}
Reported by FlawFinder.
Line: 214
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* multiple files that need to be concatenated
* and returned in a single buffer.
*/
memcpy((void *)alloc_addr, (void *)old_addr, alloc_size);
efi_free(alloc_size, old_addr);
}
}
addr = (void *)alloc_addr + alloc_size;
Reported by FlawFinder.
Line: 225
Column: 19
CWE codes:
120
20
while (size) {
unsigned long chunksize = min(size, efi_chunk_size);
status = file->read(file, &chunksize, addr);
if (status != EFI_SUCCESS) {
efi_err("Failed to read file\n");
goto err_close_file;
}
addr += chunksize;
Reported by FlawFinder.
drivers/base/platform.c
3 issues
Line: 577
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pa = kzalloc(sizeof(*pa) + strlen(name) + 1, GFP_KERNEL);
if (pa) {
strcpy(pa->name, name);
pa->pdev.name = pa->name;
pa->pdev.id = id;
device_initialize(&pa->pdev.dev);
pa->pdev.dev.release = platform_device_release;
setup_pdev_dma_masks(&pa->pdev);
Reported by FlawFinder.
Line: 575
Column: 29
CWE codes:
126
{
struct platform_object *pa;
pa = kzalloc(sizeof(*pa) + strlen(name) + 1, GFP_KERNEL);
if (pa) {
strcpy(pa->name, name);
pa->pdev.name = pa->name;
pa->pdev.id = id;
device_initialize(&pa->pdev.dev);
Reported by FlawFinder.
Line: 1305
Column: 6
CWE codes:
126
device_lock(dev);
old = pdev->driver_override;
if (strlen(driver_override)) {
pdev->driver_override = driver_override;
} else {
kfree(driver_override);
pdev->driver_override = NULL;
}
Reported by FlawFinder.
drivers/base/firmware_loader/main.c
3 issues
Line: 108
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (!buf || size < fw->size)
return;
memcpy(buf, fw->data, fw->size);
}
static bool fw_get_builtin_firmware(struct firmware *fw, const char *name,
void *buf, size_t size)
{
Reported by FlawFinder.
Line: 329
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_KERNEL);
if (!new_pages)
return -ENOMEM;
memcpy(new_pages, fw_priv->pages,
fw_priv->page_array_size * sizeof(void *));
memset(&new_pages[fw_priv->page_array_size], 0, sizeof(void *) *
(new_array_size - fw_priv->page_array_size));
kvfree(fw_priv->pages);
fw_priv->pages = new_pages;
Reported by FlawFinder.
Line: 466
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif /* CONFIG_FW_LOADER_COMPRESS */
/* direct firmware loading support */
static char fw_path_para[256];
static const char * const fw_path[] = {
fw_path_para,
"/lib/firmware/updates/" UTS_RELEASE,
"/lib/firmware/updates",
"/lib/firmware/" UTS_RELEASE,
Reported by FlawFinder.
drivers/dma/ioat/prep.c
3 issues
Line: 594
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
if ((flags & DMA_PREP_PQ_DISABLE_P) && src_cnt == 1) {
dma_addr_t single_source[2];
unsigned char single_source_coef[2];
BUG_ON(flags & DMA_PREP_PQ_DISABLE_Q);
single_source[0] = src[0];
single_source[1] = src[0];
single_source_coef[0] = scf[0];
Reported by FlawFinder.
Line: 650
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ioat_prep_pqxor(struct dma_chan *chan, dma_addr_t dst, dma_addr_t *src,
unsigned int src_cnt, size_t len, unsigned long flags)
{
unsigned char scf[MAX_SCF];
dma_addr_t pq[2];
struct ioatdma_chan *ioat_chan = to_ioat_chan(chan);
if (test_bit(IOAT_CHAN_DOWN, &ioat_chan->state))
return NULL;
Reported by FlawFinder.
Line: 677
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int src_cnt, size_t len,
enum sum_check_flags *result, unsigned long flags)
{
unsigned char scf[MAX_SCF];
dma_addr_t pq[2];
struct ioatdma_chan *ioat_chan = to_ioat_chan(chan);
if (test_bit(IOAT_CHAN_DOWN, &ioat_chan->state))
return NULL;
Reported by FlawFinder.
drivers/clk/at91/sckc.c
3 issues
Line: 369
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int rc_osc_startup_us,
const struct clk_slow_bits *bits)
{
const char *parent_names[2] = { "slow_rc_osc", "slow_osc" };
void __iomem *regbase = of_iomap(np, 0);
struct device_node *child = NULL;
const char *xtal_name;
struct clk_hw *slow_rc, *slow_osc, *slowck;
bool bypass;
Reported by FlawFinder.
Line: 467
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk_hw_onecell_data *clk_data;
struct clk_hw *slow_rc, *slow_osc;
const char *xtal_name;
const char *parent_names[2] = { "slow_rc_osc", "slow_osc" };
bool bypass;
int ret;
if (!regbase)
return;
Reported by FlawFinder.
Line: 577
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk_sama5d4_slow_osc *osc;
struct clk_init_data init;
const char *xtal_name;
const char *parent_names[2] = { "slow_rc_osc", "slow_osc" };
int ret;
if (!regbase)
return;
Reported by FlawFinder.
drivers/crypto/inside-secure/safexcel.c
3 issues
Line: 409
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const char *fw_name[] = {"ifpp.bin", "ipue.bin"};
const struct firmware *fw[FW_NB];
char fw_path[37], *dir = NULL;
int i, j, ret = 0, pe;
int ipuesz, ifppsz, minifw = 0;
if (priv->version == EIP197D_MRVL)
dir = "eip197d";
Reported by FlawFinder.
Line: 1163
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
} else if (IS_ENABLED(CONFIG_OF)) {
struct platform_device *plf_pdev = pdev;
char irq_name[6] = {0}; /* "ringX\0" */
snprintf(irq_name, 6, "ring%d", irqid);
dev = &plf_pdev->dev;
irq = platform_get_irq_byname(plf_pdev, irq_name);
Reported by FlawFinder.
Line: 1625
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return -ENOMEM;
for (i = 0; i < priv->config.rings; i++) {
char wq_name[9] = {0};
int irq;
struct safexcel_ring_irq_data *ring_irq;
ret = safexcel_init_ring_descriptors(priv,
&priv->ring[i].cdr,
Reported by FlawFinder.
drivers/firmware/efi/libstub/pci.c
3 issues
Line: 76
Column: 36
CWE codes:
120
20
* disabling DMA in the PCI bridge should not interfere with
* normal operation of the device.
*/
status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16,
PCI_CLASS_DEVICE, 1, &class);
if (status != EFI_SUCCESS || class == PCI_CLASS_DISPLAY_VGA)
continue;
/* Disconnect this handle from all its drivers */
Reported by FlawFinder.
Line: 93
Column: 36
CWE codes:
120
20
if (status != EFI_SUCCESS || !pci)
continue;
status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16,
PCI_CLASS_DEVICE, 1, &class);
if (status != EFI_SUCCESS || class != PCI_CLASS_BRIDGE_PCI)
continue;
Reported by FlawFinder.
Line: 100
Column: 36
CWE codes:
120
20
continue;
/* Disable busmastering */
status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16,
PCI_COMMAND, 1, &command);
if (status != EFI_SUCCESS || !(command & PCI_COMMAND_MASTER))
continue;
command &= ~PCI_COMMAND_MASTER;
Reported by FlawFinder.
drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
3 issues
Line: 147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sdma_v5_2_init_microcode(struct amdgpu_device *adev)
{
const char *chip_name;
char fw_name[40];
int err = 0, i;
struct amdgpu_firmware_info *info = NULL;
const struct common_firmware_header *header = NULL;
DRM_DEBUG("\n");
Reported by FlawFinder.
Line: 188
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
for (i = 1; i < adev->sdma.num_instances; i++)
memcpy((void *)&adev->sdma.instance[i],
(void *)&adev->sdma.instance[0],
sizeof(struct amdgpu_sdma_instance));
if (amdgpu_sriov_vf(adev) && (adev->asic_type == CHIP_SIENNA_CICHLID))
return 0;
Reported by FlawFinder.
Line: 1319
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ring->doorbell_index =
(adev->doorbell_index.sdma_engine[i] << 1); //get DWORD offset
sprintf(ring->name, "sdma%d", i);
r = amdgpu_ring_init(adev, ring, 1024, &adev->sdma.trap_irq,
AMDGPU_SDMA_IRQ_INSTANCE0 + i,
AMDGPU_RING_PRIO_DEFAULT, NULL);
if (r)
return r;
Reported by FlawFinder.
drivers/acpi/acpica/utglobal.c
3 issues
Line: 25
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*
******************************************************************************/
/* Various state name strings */
const char *acpi_gbl_sleep_state_names[ACPI_S_STATE_COUNT] = {
"\\_S0_",
"\\_S1_",
"\\_S2_",
"\\_S3_",
"\\_S4_",
Reported by FlawFinder.
Line: 34
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"\\_S5_"
};
const char *acpi_gbl_lowest_dstate_names[ACPI_NUM_sx_w_METHODS] = {
"_S0W",
"_S1W",
"_S2W",
"_S3W",
"_S4W"
Reported by FlawFinder.
Line: 42
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"_S4W"
};
const char *acpi_gbl_highest_dstate_names[ACPI_NUM_sx_d_METHODS] = {
"_S1D",
"_S2D",
"_S3D",
"_S4D"
};
Reported by FlawFinder.
drivers/bluetooth/bfusb.c
3 issues
Line: 453
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct bfusb_data *data = hci_get_drvdata(hdev);
struct sk_buff *nskb;
unsigned char buf[3];
int sent = 0, size, count;
BT_DBG("hdev %p skb %p type %d len %d", hdev, skb,
hci_skb_pkt_type(skb), skb->len);
Reported by FlawFinder.
Line: 472
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Prepend skb with frame type */
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
count = skb->len;
/* Max HCI frame size seems to be 1511 + 1 */
nskb = bt_skb_alloc(count + 32, GFP_KERNEL);
Reported by FlawFinder.
Line: 550
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (count) {
size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE + 3);
memcpy(buf, firmware + sent, size);
err = usb_bulk_msg(data->udev, pipe, buf, size,
&len, BFUSB_BLOCK_TIMEOUT);
if (err || (len != size)) {
Reported by FlawFinder.