The following issues were found
drivers/md/md-cluster.c
19 issues
Line: 111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* TODO: Unionize this for smaller footprint */
__le64 low;
__le64 high;
char uuid[16];
__le32 raid_slot;
};
static void sync_ast(void *arg)
{
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret = 0;
dlm_lock_sync(lockres, DLM_LOCK_CR);
memcpy(&ri, lockres->lksb.sb_lvbptr, sizeof(struct resync_info));
if (le64_to_cpu(ri.hi) > 0) {
cinfo->suspend_hi = le64_to_cpu(ri.hi);
cinfo->suspend_lo = le64_to_cpu(ri.lo);
ret = 1;
}
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mddev *mddev = thread->mddev;
struct md_cluster_info *cinfo = mddev->cluster_info;
struct dlm_lock_resource *bm_lockres;
char str[64];
int slot, ret;
sector_t lo, hi;
while (cinfo->recovery_map) {
slot = fls64((u64)cinfo->recovery_map) - 1;
Reported by FlawFinder.
Line: 506
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void process_add_new_disk(struct mddev *mddev, struct cluster_msg *cmsg)
{
char disk_uuid[64];
struct md_cluster_info *cinfo = mddev->cluster_info;
char event_name[] = "EVENT=ADD_DEVICE";
char raid_slot[16];
char *envp[] = {event_name, disk_uuid, raid_slot, NULL};
int len;
Reported by FlawFinder.
Line: 509
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char disk_uuid[64];
struct md_cluster_info *cinfo = mddev->cluster_info;
char event_name[] = "EVENT=ADD_DEVICE";
char raid_slot[16];
char *envp[] = {event_name, disk_uuid, raid_slot, NULL};
int len;
len = snprintf(disk_uuid, 64, "DEVICE_UUID=");
sprintf(disk_uuid + len, "%pU", cmsg->uuid);
Reported by FlawFinder.
Line: 514
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int len;
len = snprintf(disk_uuid, 64, "DEVICE_UUID=");
sprintf(disk_uuid + len, "%pU", cmsg->uuid);
snprintf(raid_slot, 16, "RAID_DISK=%d", le32_to_cpu(cmsg->raid_slot));
pr_info("%s:%d Sending kobject change with %s and %s\n", __func__, __LINE__, disk_uuid, raid_slot);
init_completion(&cinfo->newdisk_completion);
set_bit(MD_CLUSTER_WAITING_FOR_NEWDISK, &cinfo->state);
kobject_uevent_env(&disk_to_dev(mddev->gendisk)->kobj, KOBJ_CHANGE, envp);
Reported by FlawFinder.
Line: 637
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* read lvb and wake up thread to process this message_lockres */
memcpy(&msg, message_lockres->lksb.sb_lvbptr, sizeof(struct cluster_msg));
ret = process_recvd_msg(thread->mddev, &msg);
if (ret)
goto out;
/*release CR on ack_lockres*/
Reported by FlawFinder.
Line: 746
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto failed_message;
}
memcpy(cinfo->message_lockres->lksb.sb_lvbptr, (void *)cmsg,
sizeof(struct cluster_msg));
/*down-convert EX to CW on Message*/
error = dlm_lock_sync(cinfo->message_lockres, DLM_LOCK_CW);
if (error) {
pr_err("md-cluster: failed to convert EX to CW on MESSAGE(%d)\n",
Reported by FlawFinder.
Line: 802
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct md_cluster_info *cinfo = mddev->cluster_info;
int i, ret = 0;
struct dlm_lock_resource *bm_lockres;
char str[64];
sector_t lo, hi;
for (i = 0; i < total_slots; i++) {
memset(str, '\0', 64);
Reported by FlawFinder.
Line: 860
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct md_cluster_info *cinfo;
int ret, ops_rv;
char str[64];
cinfo = kzalloc(sizeof(struct md_cluster_info), GFP_KERNEL);
if (!cinfo)
return -ENOMEM;
Reported by FlawFinder.
drivers/media/dvb-frontends/stv090x.c
19 issues
Line: 728
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = reg >> 8;
buf[1] = reg & 0xff;
memcpy(&buf[2], data, count);
dprintk(FE_DEBUGREG, 1, "%s [0x%04x]: %*ph",
__func__, reg, count, data);
ret = i2c_transfer(state->i2c, &i2c_msg, 1);
Reported by FlawFinder.
Line: 3620
Column: 23
CWE codes:
120
20
int res = 0;
int min = 0, med;
if ((val >= tab[min].read && val < tab[max].read) ||
(val >= tab[max].read && val < tab[min].read)) {
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
Reported by FlawFinder.
Line: 3620
Column: 46
CWE codes:
120
20
int res = 0;
int min = 0, med;
if ((val >= tab[min].read && val < tab[max].read) ||
(val >= tab[max].read && val < tab[min].read)) {
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
Reported by FlawFinder.
Line: 3621
Column: 23
CWE codes:
120
20
int min = 0, med;
if ((val >= tab[min].read && val < tab[max].read) ||
(val >= tab[max].read && val < tab[min].read)) {
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
max = med;
Reported by FlawFinder.
Line: 3621
Column: 46
CWE codes:
120
20
int min = 0, med;
if ((val >= tab[min].read && val < tab[max].read) ||
(val >= tab[max].read && val < tab[min].read)) {
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
max = med;
Reported by FlawFinder.
Line: 3624
Column: 48
CWE codes:
120
20
(val >= tab[max].read && val < tab[min].read)) {
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
max = med;
else
min = med;
}
Reported by FlawFinder.
Line: 3624
Column: 25
CWE codes:
120
20
(val >= tab[max].read && val < tab[min].read)) {
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
max = med;
else
min = med;
}
Reported by FlawFinder.
Line: 3625
Column: 48
CWE codes:
120
20
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
max = med;
else
min = med;
}
res = ((val - tab[min].read) *
Reported by FlawFinder.
Line: 3625
Column: 25
CWE codes:
120
20
while ((max - min) > 1) {
med = (max + min) / 2;
if ((val >= tab[min].read && val < tab[med].read) ||
(val >= tab[med].read && val < tab[min].read))
max = med;
else
min = med;
}
res = ((val - tab[min].read) *
Reported by FlawFinder.
Line: 3630
Column: 26
CWE codes:
120
20
else
min = med;
}
res = ((val - tab[min].read) *
(tab[max].real - tab[min].real) /
(tab[max].read - tab[min].read)) +
tab[min].real;
} else {
if (tab[min].read < tab[max].read) {
Reported by FlawFinder.
scripts/kconfig/nconf.c
19 issues
Line: 546
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
k_menu_items[items_num].is_visible = 1;
va_start(ap, fmt);
vsnprintf(k_menu_items[items_num].str,
sizeof(k_menu_items[items_num].str),
fmt, ap);
va_end(ap);
if (!k_menu_items[items_num].is_visible)
Reported by FlawFinder.
Line: 580
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
va_start(ap, fmt);
vsnprintf(new_str, sizeof(new_str), fmt, ap);
va_end(ap);
snprintf(tmp_str, sizeof(tmp_str), "%s%s",
k_menu_items[index].str, new_str);
strncpy(k_menu_items[index].str,
tmp_str,
Reported by FlawFinder.
Line: 1481
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
conf_parse(av[1]);
conf_read(NULL);
mode = getenv("NCONFIG_MODE");
if (mode) {
if (!strcasecmp(mode, "single_menu"))
single_menu_mode = 1;
}
Reported by FlawFinder.
Line: 250
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"\n";
struct mitem {
char str[256];
char tag;
void *usrptr;
int is_visible;
};
Reported by FlawFinder.
Line: 552
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
va_end(ap);
if (!k_menu_items[items_num].is_visible)
memcpy(k_menu_items[items_num].str, "XXX", 3);
curses_menu_items[items_num] = new_item(
k_menu_items[items_num].str,
k_menu_items[items_num].str);
set_item_userptr(curses_menu_items[items_num],
Reported by FlawFinder.
Line: 573
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
va_list ap;
int index = items_num-1;
char new_str[256];
char tmp_str[256];
if (index < 0)
return;
Reported by FlawFinder.
Line: 574
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
va_list ap;
int index = items_num-1;
char new_str[256];
char tmp_str[256];
if (index < 0)
return;
va_start(ap, fmt);
Reported by FlawFinder.
Line: 632
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return item_tag() == tag;
}
static char filename[PATH_MAX+1];
static char menu_backtitle[PATH_MAX+128];
static void set_config_filename(const char *config_filename)
{
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
Reported by FlawFinder.
Line: 633
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static char filename[PATH_MAX+1];
static char menu_backtitle[PATH_MAX+128];
static void set_config_filename(const char *config_filename)
{
snprintf(menu_backtitle, sizeof(menu_backtitle), "%s - %s",
config_filename, rootmenu.prompt->text);
Reported by FlawFinder.
Line: 1010
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int in_search;
match_f match_direction;
char pattern[256];
};
/* Return 0 means I have handled the key. In such a case, ans should hold the
* item to center, or -1 otherwise.
* Else return -1 .
Reported by FlawFinder.
fs/proc/base.c
19 issues
Line: 3738
* with the leader and walk nr threads forward.
*/
pos = task = task->group_leader;
do {
if (!nr--)
goto found;
} while_each_thread(task, pos);
fail:
pos = NULL;
Reported by Cppcheck.
Line: 602
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!lock_task_sighand(task, &flags))
return 0;
memcpy(rlim, task->signal->rlim, sizeof(struct rlimit) * RLIM_NLIMITS);
unlock_task_sighand(task, &flags);
/*
* print the file header
*/
Reported by FlawFinder.
Line: 1039
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
int oom_adj = OOM_ADJUST_MIN;
size_t len;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t oom_adj_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char buffer[PROC_NUMBUF];
int oom_adj;
int err;
memset(buffer, 0, sizeof(buffer));
if (count > sizeof(buffer) - 1)
Reported by FlawFinder.
Line: 1198
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
short oom_score_adj = OOM_SCORE_ADJ_MIN;
size_t len;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1213
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t oom_score_adj_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char buffer[PROC_NUMBUF];
int oom_score_adj;
int err;
memset(buffer, 0, sizeof(buffer));
if (count > sizeof(buffer) - 1)
Reported by FlawFinder.
Line: 1253
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode * inode = file_inode(file);
struct task_struct *task = get_proc_task(inode);
ssize_t length;
char tmpbuf[TMPBUFLEN];
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
from_kuid(file->f_cred->user_ns,
Reported by FlawFinder.
Line: 1319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct inode * inode = file_inode(file);
struct task_struct *task = get_proc_task(inode);
ssize_t length;
char tmpbuf[TMPBUFLEN];
if (!task)
return -ESRCH;
length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
audit_get_sessionid(task));
Reported by FlawFinder.
Line: 1340
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct task_struct *task = get_proc_task(file_inode(file));
char buffer[PROC_NUMBUF];
size_t len;
int make_it_fail;
if (!task)
return -ESRCH;
Reported by FlawFinder.
Line: 1358
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char __user * buf, size_t count, loff_t *ppos)
{
struct task_struct *task;
char buffer[PROC_NUMBUF];
int make_it_fail;
int rv;
if (!capable(CAP_SYS_RESOURCE))
return -EPERM;
Reported by FlawFinder.
drivers/md/dm-ioctl.c
19 issues
Line: 618
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
disk = dm_disk(hc->md);
nl->dev = huge_encode_dev(disk_devt(disk));
nl->next = 0;
strcpy(nl->name, hc->name);
old_nl = nl;
event_nr = align_ptr(nl->name + strlen(hc->name) + 1);
event_nr[0] = dm_get_event_nr(hc->md);
event_nr[1] = 0;
Reported by FlawFinder.
Line: 628
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (param->flags & DM_UUID_FLAG) {
if (hc->uuid) {
event_nr[1] |= DM_NAME_LIST_FLAG_HAS_UUID;
strcpy(uuid_ptr, hc->uuid);
uuid_ptr = align_ptr(uuid_ptr + strlen(hc->uuid) + 1);
} else {
event_nr[1] |= DM_NAME_LIST_FLAG_DOESNT_HAVE_UUID;
}
}
Reported by FlawFinder.
Line: 675
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
info->vers->version[1] = tt->version[1];
info->vers->version[2] = tt->version[2];
info->vers->next = 0;
strcpy(info->vers->name, tt->name);
info->old_vers = info->vers;
info->vers = align_ptr(((void *) ++info->vers) + strlen(tt->name) + 1);
}
Reported by FlawFinder.
Line: 2111
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (name)
strcpy(name, hc->name);
if (uuid)
strcpy(uuid, hc->uuid ? : "");
out:
mutex_unlock(&dm_hash_cells_mutex);
Reported by FlawFinder.
Line: 2113
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (name)
strcpy(name, hc->name);
if (uuid)
strcpy(uuid, hc->uuid ? : "");
out:
mutex_unlock(&dm_hash_cells_mutex);
return r;
Reported by FlawFinder.
Line: 1869
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*param_flags |= DM_PARAMS_MALLOC;
/* Copy from param_kernel (which was already copied from user) */
memcpy(dmi, param_kernel, minimum_data_size);
if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
param_kernel->data_size - minimum_data_size))
goto bad;
data_copied:
Reported by FlawFinder.
Line: 549
Column: 12
CWE codes:
126
size_t val_len, pfx_len;
val = hc->name;
val_len = strlen(val);
pfx_len = strnlen(pfx_name, DM_NAME_LEN);
if (pfx_len > val_len)
return false;
if (memcmp(val, pfx_name, pfx_len))
return false;
Reported by FlawFinder.
Line: 557
Column: 12
CWE codes:
126
return false;
val = hc->uuid ? hc->uuid : "";
val_len = strlen(val);
pfx_len = strnlen(pfx_uuid, DM_UUID_LEN);
if (pfx_len > val_len)
return false;
if (memcmp(val, pfx_uuid, pfx_len))
return false;
Reported by FlawFinder.
Line: 586
Column: 61
CWE codes:
126
hc = container_of(n, struct hash_cell, name_node);
if (!filter_device(hc, param->name, param->uuid))
continue;
needed += align_val(offsetof(struct dm_name_list, name) + strlen(hc->name) + 1);
needed += align_val(sizeof(uint32_t) * 2);
if (param->flags & DM_UUID_FLAG && hc->uuid)
needed += align_val(strlen(hc->uuid) + 1);
}
Reported by FlawFinder.
Line: 589
Column: 24
CWE codes:
126
needed += align_val(offsetof(struct dm_name_list, name) + strlen(hc->name) + 1);
needed += align_val(sizeof(uint32_t) * 2);
if (param->flags & DM_UUID_FLAG && hc->uuid)
needed += align_val(strlen(hc->uuid) + 1);
}
/*
* Grab our output buffer.
*/
Reported by FlawFinder.
tools/perf/builtin-help.c
19 issues
Line: 132
Column: 4
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (!path)
path = "emacsclient";
if (asprintf(&man_page, "(woman \"%s\")", page) > 0) {
execlp(path, "emacsclient", "-e", man_page, NULL);
free(man_page);
}
exec_failed(path);
}
}
Reported by FlawFinder.
Line: 163
Column: 4
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} else
path = "kfmclient";
if (asprintf(&man_page, "man:%s(1)", page) > 0) {
execlp(path, filename, "newTab", man_page, NULL);
free(man_page);
}
exec_failed(path);
}
}
Reported by FlawFinder.
Line: 174
Column: 2
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
{
if (!path)
path = "man";
execlp(path, "man", page, NULL);
exec_failed(path);
}
static void exec_man_cmd(const char *cmd, const char *page)
{
Reported by FlawFinder.
Line: 183
Column: 3
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
char *shell_cmd;
if (asprintf(&shell_cmd, "%s %s", cmd, page) > 0) {
execl("/bin/sh", "sh", "-c", shell_cmd, NULL);
free(shell_cmd);
}
exec_failed(cmd);
}
Reported by FlawFinder.
Line: 197
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
while (*p)
p = &((*p)->next);
*p = zalloc(sizeof(**p) + len + 1);
strcpy((*p)->name, name);
}
static int supported_man_viewer(const char *name, size_t len)
{
return (!strncasecmp("man", name, len) ||
Reported by FlawFinder.
Line: 383
Column: 2
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
{
const char *page = cmd_to_page(perf_cmd);
setenv("INFOPATH", system_path(PERF_INFO_PATH), 1);
execlp("info", "info", "perfman", page, NULL);
return -1;
}
static int get_html_page_path(char **page_path, const char *page)
{
Reported by FlawFinder.
Line: 141
Column: 24
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static void exec_man_konqueror(const char *path, const char *page)
{
const char *display = getenv("DISPLAY");
if (display && *display) {
char *man_page;
const char *filename = "kfmclient";
Reported by FlawFinder.
Line: 331
Column: 25
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static void setup_man_path(void)
{
char *new_path;
const char *old_path = getenv("MANPATH");
/* We should always put ':' after our path. If there is no
* old_path, the ':' at the end will let 'man' to try
* system-wide paths after ours to find the manual page. If
* there is old_path, we need ':' as delimiter. */
Reported by FlawFinder.
Line: 365
Column: 25
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
{
struct man_viewer_list *viewer;
const char *page = cmd_to_page(perf_cmd);
const char *fallback = getenv("PERF_MAN_VIEWER");
setup_man_path();
for (viewer = man_viewer_list; viewer; viewer = viewer->next)
exec_viewer(viewer->name, page); /* will return when unable */
Reported by FlawFinder.
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct man_viewer_list {
struct man_viewer_list *next;
char name[0];
} *man_viewer_list;
static struct man_viewer_info_list {
struct man_viewer_info_list *next;
const char *info;
Reported by FlawFinder.
tools/perf/bench/numa.c
19 issues
Line: 47
Column: 61
CWE codes:
134
Suggestion:
Use a constant for the format specification
/*
* Regular printout to the terminal, suppressed if -q is specified:
*/
#define tprintf(x...) do { if (g && g->p.show_details >= 0) printf(x); } while (0)
/*
* Debug printf:
*/
#undef dprintf
Reported by FlawFinder.
Line: 53
Column: 61
CWE codes:
134
Suggestion:
Use a constant for the format specification
* Debug printf:
*/
#undef dprintf
#define dprintf(x...) do { if (g && g->p.show_details >= 1) printf(x); } while (0)
struct thread_data {
int curr_cpu;
cpu_set_t bind_cpumask;
int bind_node;
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
char name[20]; \
\
snprintf(name, 20, fmt); \
prctl(PR_SET_NAME, name); \
} while (0)
static u8 *alloc_data(ssize_t bytes0, int map_flags,
int init_zero, int init_cpu0, int thp, int init_random)
Reported by FlawFinder.
Line: 1855
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
int ret;
int i;
ret = system("echo ' #'; echo ' # Running test on: '$(uname -a); echo ' #'");
BUG_ON(ret < 0);
for (i = 0; i < nr; i++) {
run_bench_numa(tests[i][0], tests[i] + 1);
}
Reported by FlawFinder.
Line: 370
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define set_taskname(fmt...) \
do { \
char name[20]; \
\
snprintf(name, 20, fmt); \
prctl(PR_SET_NAME, name); \
} while (0)
Reported by FlawFinder.
Line: 547
Column: 30
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
dprintf("\ntoken: {%s}, end: {%s}\n", tok, tok_end);
if (!tok_end) {
/* Single CPU specified: */
bind_cpu_0 = bind_cpu_1 = atol(tok);
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
Reported by FlawFinder.
Line: 550
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
bind_cpu_0 = bind_cpu_1 = atol(tok);
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
step = 1;
tok_step = strstr(tok, "#");
Reported by FlawFinder.
Line: 551
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
} else {
/* CPU range specified (for example: "5-11"): */
bind_cpu_0 = atol(tok);
bind_cpu_1 = atol(tok_end + 1);
}
step = 1;
tok_step = strstr(tok, "#");
if (tok_step) {
Reported by FlawFinder.
Line: 557
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
step = 1;
tok_step = strstr(tok, "#");
if (tok_step) {
step = atol(tok_step + 1);
BUG_ON(step <= 0 || step >= g->p.nr_cpus);
}
/*
* Mask length.
Reported by FlawFinder.
Line: 569
Column: 15
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
bind_len = 1;
tok_len = strstr(tok, "_");
if (tok_len) {
bind_len = atol(tok_len + 1);
BUG_ON(bind_len <= 0 || bind_len > g->p.nr_cpus);
}
/* Multiplicator shortcut, "0x8" is a shortcut for: "0,0,0,0,0,0,0,0" */
mul = 1;
Reported by FlawFinder.
drivers/hwmon/gl520sm.c
19 issues
Line: 193
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct gl520_data *data = gl520_update_device(dev);
return sprintf(buf, "%u\n", vid_from_reg(data->vid, data->vrm));
}
static DEVICE_ATTR_RO(cpu0_vid);
#define VDD_FROM_REG(val) DIV_ROUND_CLOSEST((val) * 95, 4)
#define VDD_CLAMP(val) clamp_val(val, 0, 255 * 95 / 4)
Reported by FlawFinder.
Line: 213
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 r = data->in_input[n];
if (n == 0)
return sprintf(buf, "%d\n", VDD_FROM_REG(r));
else
return sprintf(buf, "%d\n", IN_FROM_REG(r));
}
static ssize_t in_min_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 215
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (n == 0)
return sprintf(buf, "%d\n", VDD_FROM_REG(r));
else
return sprintf(buf, "%d\n", IN_FROM_REG(r));
}
static ssize_t in_min_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 226
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 r = data->in_min[n];
if (n == 0)
return sprintf(buf, "%d\n", VDD_FROM_REG(r));
else
return sprintf(buf, "%d\n", IN_FROM_REG(r));
}
static ssize_t in_max_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 228
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (n == 0)
return sprintf(buf, "%d\n", VDD_FROM_REG(r));
else
return sprintf(buf, "%d\n", IN_FROM_REG(r));
}
static ssize_t in_max_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 239
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 r = data->in_max[n];
if (n == 0)
return sprintf(buf, "%d\n", VDD_FROM_REG(r));
else
return sprintf(buf, "%d\n", IN_FROM_REG(r));
}
static ssize_t in_min_store(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 241
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (n == 0)
return sprintf(buf, "%d\n", VDD_FROM_REG(r));
else
return sprintf(buf, "%d\n", IN_FROM_REG(r));
}
static ssize_t in_min_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 344
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int n = to_sensor_dev_attr(attr)->index;
struct gl520_data *data = gl520_update_device(dev);
return sprintf(buf, "%d\n", FAN_FROM_REG(data->fan_input[n],
data->fan_div[n]));
}
static ssize_t fan_min_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 354
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int n = to_sensor_dev_attr(attr)->index;
struct gl520_data *data = gl520_update_device(dev);
return sprintf(buf, "%d\n", FAN_FROM_REG(data->fan_min[n],
data->fan_div[n]));
}
static ssize_t fan_div_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 364
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int n = to_sensor_dev_attr(attr)->index;
struct gl520_data *data = gl520_update_device(dev);
return sprintf(buf, "%d\n", DIV_FROM_REG(data->fan_div[n]));
}
static ssize_t fan1_off_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
arch/s390/kvm/kvm-s390.c
19 issues
Line: 1304
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
kvm->arch.model.ibc = proc->ibc;
}
memcpy(kvm->arch.model.fac_list, proc->fac_list,
S390_ARCH_FAC_LIST_SIZE_BYTE);
VM_EVENT(kvm, 3, "SET: guest ibc: 0x%4.4x, guest cpuid: 0x%16.16llx",
kvm->arch.model.ibc,
kvm->arch.model.cpuid);
VM_EVENT(kvm, 3, "SET: guest faclist: 0x%16.16llx.%16.16llx.%16.16llx",
Reported by FlawFinder.
Line: 1455
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
proc->cpuid = kvm->arch.model.cpuid;
proc->ibc = kvm->arch.model.ibc;
memcpy(&proc->fac_list, kvm->arch.model.fac_list,
S390_ARCH_FAC_LIST_SIZE_BYTE);
VM_EVENT(kvm, 3, "GET: guest ibc: 0x%4.4x, guest cpuid: 0x%16.16llx",
kvm->arch.model.ibc,
kvm->arch.model.cpuid);
VM_EVENT(kvm, 3, "GET: guest faclist: 0x%16.16llx.%16.16llx.%16.16llx",
Reported by FlawFinder.
Line: 1483
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
get_cpu_id((struct cpuid *) &mach->cpuid);
mach->ibc = sclp.ibc;
memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
S390_ARCH_FAC_LIST_SIZE_BYTE);
memcpy((unsigned long *)&mach->fac_list, stfle_fac_list,
sizeof(stfle_fac_list));
VM_EVENT(kvm, 3, "GET: host ibc: 0x%4.4x, host cpuid: 0x%16.16llx",
kvm->arch.model.ibc,
Reported by FlawFinder.
Line: 1485
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mach->ibc = sclp.ibc;
memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
S390_ARCH_FAC_LIST_SIZE_BYTE);
memcpy((unsigned long *)&mach->fac_list, stfle_fac_list,
sizeof(stfle_fac_list));
VM_EVENT(kvm, 3, "GET: host ibc: 0x%4.4x, host cpuid: 0x%16.16llx",
kvm->arch.model.ibc,
kvm->arch.model.cpuid);
VM_EVENT(kvm, 3, "GET: host facmask: 0x%16.16llx.%16.16llx.%16.16llx",
Reported by FlawFinder.
Line: 2572
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (kvm->arch.crypto.crycbd & CRYCB_FORMAT_MASK) {
case CRYCB_FORMAT2: /* APCB1 use 256 bits */
memcpy(crycb->apcb1.apm, apm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: apm %016lx %016lx %016lx %016lx",
apm[0], apm[1], apm[2], apm[3]);
memcpy(crycb->apcb1.aqm, aqm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: aqm %016lx %016lx %016lx %016lx",
aqm[0], aqm[1], aqm[2], aqm[3]);
Reported by FlawFinder.
Line: 2575
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(crycb->apcb1.apm, apm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: apm %016lx %016lx %016lx %016lx",
apm[0], apm[1], apm[2], apm[3]);
memcpy(crycb->apcb1.aqm, aqm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: aqm %016lx %016lx %016lx %016lx",
aqm[0], aqm[1], aqm[2], aqm[3]);
memcpy(crycb->apcb1.adm, adm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: adm %016lx %016lx %016lx %016lx",
adm[0], adm[1], adm[2], adm[3]);
Reported by FlawFinder.
Line: 2578
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(crycb->apcb1.aqm, aqm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: aqm %016lx %016lx %016lx %016lx",
aqm[0], aqm[1], aqm[2], aqm[3]);
memcpy(crycb->apcb1.adm, adm, 32);
VM_EVENT(kvm, 3, "SET CRYCB: adm %016lx %016lx %016lx %016lx",
adm[0], adm[1], adm[2], adm[3]);
break;
case CRYCB_FORMAT1:
case CRYCB_FORMAT0: /* Fall through both use APCB0 */
Reported by FlawFinder.
Line: 2584
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case CRYCB_FORMAT1:
case CRYCB_FORMAT0: /* Fall through both use APCB0 */
memcpy(crycb->apcb0.apm, apm, 8);
memcpy(crycb->apcb0.aqm, aqm, 2);
memcpy(crycb->apcb0.adm, adm, 2);
VM_EVENT(kvm, 3, "SET CRYCB: apm %016lx aqm %04x adm %04x",
apm[0], *((unsigned short *)aqm),
*((unsigned short *)adm));
Reported by FlawFinder.
Line: 2585
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case CRYCB_FORMAT1:
case CRYCB_FORMAT0: /* Fall through both use APCB0 */
memcpy(crycb->apcb0.apm, apm, 8);
memcpy(crycb->apcb0.aqm, aqm, 2);
memcpy(crycb->apcb0.adm, adm, 2);
VM_EVENT(kvm, 3, "SET CRYCB: apm %016lx aqm %04x adm %04x",
apm[0], *((unsigned short *)aqm),
*((unsigned short *)adm));
break;
Reported by FlawFinder.
Line: 2586
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case CRYCB_FORMAT0: /* Fall through both use APCB0 */
memcpy(crycb->apcb0.apm, apm, 8);
memcpy(crycb->apcb0.aqm, aqm, 2);
memcpy(crycb->apcb0.adm, adm, 2);
VM_EVENT(kvm, 3, "SET CRYCB: apm %016lx aqm %04x adm %04x",
apm[0], *((unsigned short *)aqm),
*((unsigned short *)adm));
break;
default: /* Can not happen */
Reported by FlawFinder.
drivers/mtd/ubi/build.c
19 issues
Line: 442
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
int i, err;
dev_t dev;
sprintf(ubi->ubi_name, UBI_NAME_STR "%d", ubi->ubi_num);
/*
* Major numbers for the UBI character devices are allocated
* dynamically. Major numbers of volume character devices are
* equivalent to ones of the corresponding UBI character device. Minor
Reported by FlawFinder.
Line: 1401
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
return 0;
}
strcpy(buf, val);
/* Get rid of the final newline */
if (buf[len - 1] == '\n')
buf[len - 1] = '\0';
Reported by FlawFinder.
Line: 1416
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
p = &mtd_dev_param[mtd_devs];
strcpy(&p->name[0], tokens[0]);
token = tokens[1];
if (token) {
p->vid_hdr_offs = bytes_str_to_int(token);
Reported by FlawFinder.
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @max_beb_per1024: maximum expected number of bad PEBs per 1024 PEBs
*/
struct mtd_dev_param {
char name[MTD_PARAM_LEN_MAX];
int ubi_num;
int vid_hdr_offs;
int max_beb_per1024;
};
Reported by FlawFinder.
Line: 99
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t version_show(struct class *class, struct class_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", UBI_VERSION);
}
static CLASS_ATTR_RO(version);
static struct attribute *ubi_class_attrs[] = {
&class_attr_version.attr,
Reported by FlawFinder.
Line: 359
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENODEV;
if (attr == &dev_eraseblock_size)
ret = sprintf(buf, "%d\n", ubi->leb_size);
else if (attr == &dev_avail_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->avail_pebs);
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (attr == &dev_eraseblock_size)
ret = sprintf(buf, "%d\n", ubi->leb_size);
else if (attr == &dev_avail_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->avail_pebs);
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
Reported by FlawFinder.
Line: 363
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (attr == &dev_avail_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->avail_pebs);
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
ret = sprintf(buf, "%d\n", ubi->max_ec);
else if (attr == &dev_reserved_for_bad)
Reported by FlawFinder.
Line: 365
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (attr == &dev_total_eraseblocks)
ret = sprintf(buf, "%d\n", ubi->good_peb_count);
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
ret = sprintf(buf, "%d\n", ubi->max_ec);
else if (attr == &dev_reserved_for_bad)
ret = sprintf(buf, "%d\n", ubi->beb_rsvd_pebs);
else if (attr == &dev_bad_peb_count)
Reported by FlawFinder.
Line: 367
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (attr == &dev_volumes_count)
ret = sprintf(buf, "%d\n", ubi->vol_count - UBI_INT_VOL_COUNT);
else if (attr == &dev_max_ec)
ret = sprintf(buf, "%d\n", ubi->max_ec);
else if (attr == &dev_reserved_for_bad)
ret = sprintf(buf, "%d\n", ubi->beb_rsvd_pebs);
else if (attr == &dev_bad_peb_count)
ret = sprintf(buf, "%d\n", ubi->bad_peb_count);
else if (attr == &dev_max_vol_count)
Reported by FlawFinder.