The following issues were found
tools/testing/selftests/sgx/sigstruct.c
3 issues
Line: 132
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool had_errors = false;
const char *filename;
int line;
char str[256];
for ( ; ; ) {
if (ERR_peek_error() == 0)
break;
Reported by FlawFinder.
Line: 357
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!mrenclave_commit(ctx, sigstruct->body.mrenclave))
goto err;
memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
SHA256((unsigned char *)&payload, sizeof(payload), digest);
if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
Reported by FlawFinder.
Line: 358
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
memcpy(&payload.header, &sigstruct->header, sizeof(sigstruct->header));
memcpy(&payload.body, &sigstruct->body, sizeof(sigstruct->body));
SHA256((unsigned char *)&payload, sizeof(payload), digest);
if (!RSA_sign(NID_sha256, digest, SHA256_DIGEST_LENGTH,
sigstruct->signature, &siglen, key))
Reported by FlawFinder.
sound/usb/proc.c
3 issues
Line: 95
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void proc_dump_substream_formats(struct snd_usb_substream *subs, struct snd_info_buffer *buffer)
{
struct audioformat *fp;
static const char * const sync_types[4] = {
"NONE", "ASYNC", "ADAPTIVE", "SYNC"
};
list_for_each_entry(fp, &subs->fmt_list, list) {
snd_pcm_format_t fmt;
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void snd_usb_proc_pcm_format_add(struct snd_usb_stream *stream)
{
char name[32];
struct snd_card *card = stream->chip->card;
sprintf(name, "stream%d", stream->pcm_index);
snd_card_ro_proc_new(card, name, stream, proc_pcm_format_read);
}
Reported by FlawFinder.
Line: 234
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char name[32];
struct snd_card *card = stream->chip->card;
sprintf(name, "stream%d", stream->pcm_index);
snd_card_ro_proc_new(card, name, stream, proc_pcm_format_read);
}
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/sockopt.c
3 issues
Line: 5
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <test_progs.h>
#include "cgroup_helpers.h"
static char bpf_log_buf[4096];
static bool verbose;
enum sockopt_test_error {
OK = 0,
DENY_LOAD,
Reported by FlawFinder.
Line: 26
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int set_optname;
int set_level;
const char set_optval[64];
socklen_t set_optlen;
int get_optname;
int get_level;
const char get_optval[64];
Reported by FlawFinder.
Line: 31
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int get_optname;
int get_level;
const char get_optval[64];
socklen_t get_optlen;
socklen_t get_optlen_ret;
enum sockopt_test_error error;
} tests[] = {
Reported by FlawFinder.
tools/testing/selftests/bpf/progs/test_xdp_loop.c
3 issues
Line: 170
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vip.protocol = ip6h->nexthdr;
vip.family = AF_INET6;
memcpy(vip.daddr.v6, ip6h->daddr.s6_addr32, sizeof(vip.daddr));
vip.dport = dport;
payload_len = ip6h->payload_len;
tnl = bpf_map_lookup_elem(&vip2tnl, &vip);
/* It only does v6-in-v6 */
Reported by FlawFinder.
Line: 201
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h->payload_len = bpf_htons(bpf_ntohs(payload_len) + sizeof(*ip6h));
ip6h->nexthdr = IPPROTO_IPV6;
ip6h->hop_limit = 8;
memcpy(ip6h->saddr.s6_addr32, tnl->saddr.v6, sizeof(tnl->saddr.v6));
memcpy(ip6h->daddr.s6_addr32, tnl->daddr.v6, sizeof(tnl->daddr.v6));
count_tx(vip.protocol);
return XDP_TX;
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h->nexthdr = IPPROTO_IPV6;
ip6h->hop_limit = 8;
memcpy(ip6h->saddr.s6_addr32, tnl->saddr.v6, sizeof(tnl->saddr.v6));
memcpy(ip6h->daddr.s6_addr32, tnl->daddr.v6, sizeof(tnl->daddr.v6));
count_tx(vip.protocol);
return XDP_TX;
}
Reported by FlawFinder.
tools/objtool/arch/x86/decode.c
3 issues
Line: 759
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
reloc = insn->reloc;
sprintf(name, "__x86_indirect_alt_%s_%s",
insn->type == INSN_JUMP_DYNAMIC ? "jmp" : "call",
reloc->sym->name + 21);
sym = find_symbol_by_name(file->elf, name);
if (!sym) {
Reported by FlawFinder.
Line: 646
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *arch_nop_insn(int len)
{
static const char nops[5][5] = {
{ BYTES_NOP1 },
{ BYTES_NOP2 },
{ BYTES_NOP3 },
{ BYTES_NOP4 },
{ BYTES_NOP5 },
Reported by FlawFinder.
Line: 746
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct instruction *insn;
struct reloc *reloc;
struct symbol *sym;
char name[32] = "";
list_for_each_entry(insn, &file->retpoline_call_list, call_node) {
if (insn->type != INSN_JUMP_DYNAMIC &&
insn->type != INSN_CALL_DYNAMIC)
Reported by FlawFinder.
tools/testing/selftests/nsfs/owner.c
3 issues
Line: 30
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int pfd[2], ns, uns, init_uns;
struct stat st1, st2;
char path[128];
pid_t pid;
char c;
if (pipe(pfd))
return 1;
Reported by FlawFinder.
Line: 56
Column: 7
CWE codes:
362
close(pfd[0]);
snprintf(path, sizeof(path), "/proc/%d/ns/uts", pid);
ns = open(path, O_RDONLY);
if (ns < 0)
return pr_err("Unable to open %s", path);
uns = ioctl(ns, NS_GET_USERNS);
if (uns < 0)
Reported by FlawFinder.
Line: 51
Column: 6
CWE codes:
120
20
return 0;
}
close(pfd[1]);
if (read(pfd[0], &c, 1) != 0)
return pr_err("Unable to read from pipe");
close(pfd[0]);
snprintf(path, sizeof(path), "/proc/%d/ns/uts", pid);
ns = open(path, O_RDONLY);
Reported by FlawFinder.
tools/testing/selftests/kvm/lib/elf.c
3 issues
Line: 22
Column: 7
CWE codes:
362
/* Open the ELF file. */
int fd;
fd = open(filename, O_RDONLY);
TEST_ASSERT(fd >= 0, "Failed to open ELF file,\n"
" filename: %s\n"
" rv: %i errno: %i", filename, fd, errno);
/* Read in and validate ELF Identification Record.
Reported by FlawFinder.
Line: 34
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* read and validated, the value of e_ehsize can be used to determine
* the real size of the ELF header.
*/
unsigned char ident[EI_NIDENT];
test_read(fd, ident, sizeof(ident));
TEST_ASSERT((ident[EI_MAG0] == ELFMAG0) && (ident[EI_MAG1] == ELFMAG1)
&& (ident[EI_MAG2] == ELFMAG2) && (ident[EI_MAG3] == ELFMAG3),
"ELF MAGIC Mismatch,\n"
" filename: %s\n"
Reported by FlawFinder.
Line: 121
Column: 7
CWE codes:
362
/* Open the ELF file. */
int fd;
fd = open(filename, O_RDONLY);
TEST_ASSERT(fd >= 0, "Failed to open ELF file,\n"
" filename: %s\n"
" rv: %i errno: %i", filename, fd, errno);
/* Read in the ELF header. */
Reported by FlawFinder.
tools/testing/selftests/net/udpgso_bench_rx.c
3 issues
Line: 300
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
/* bind to any by default */
setup_sockaddr(PF_INET6, "::", &cfg_bind_addr);
while ((c = getopt(argc, argv, "4b:C:Gl:n:p:rR:S:tv")) != -1) {
switch (c) {
case '4':
cfg_family = PF_INET;
cfg_alen = sizeof(struct sockaddr_in);
setup_sockaddr(PF_INET, "0.0.0.0", &cfg_bind_addr);
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int recv_msg(int fd, char *buf, int len, int *gso_size)
{
char control[CMSG_SPACE(sizeof(uint16_t))] = {0};
struct msghdr msg = {0};
struct iovec iov = {0};
struct cmsghdr *cmsg;
uint16_t *gsosizeptr;
int ret;
Reported by FlawFinder.
Line: 252
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Flush all outstanding datagrams. Verify first few bytes of each. */
static void do_flush_udp(int fd)
{
static char rbuf[ETH_MAX_MTU];
int ret, len, gso_size, budget = 256;
len = cfg_read_all ? sizeof(rbuf) : 0;
while (budget--) {
/* MSG_TRUNC will make return value full datagram length */
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
3 issues
Line: 52
Column: 2
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
bpf_map_update_elem(outer_hash_fd, &key, &map2_fd, 0);
bpf_map_update_elem(outer_arr_dyn_fd, &key, &map3_fd, 0);
skel->bss->input = 1;
usleep(1);
bpf_map_lookup_elem(map1_fd, &key, &val);
CHECK(val != 1, "inner1", "got %d != exp %d\n", val, 1);
bpf_map_lookup_elem(map2_fd, &key, &val);
CHECK(val != 2, "inner2", "got %d != exp %d\n", val, 2);
bpf_map_lookup_elem(map3_fd, &key, &val);
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
bpf_map_update_elem(outer_hash_fd, &key, &map1_fd, 0);
bpf_map_update_elem(outer_arr_dyn_fd, &key, &map4_fd, 0);
skel->bss->input = 3;
usleep(1);
bpf_map_lookup_elem(map1_fd, &key, &val);
CHECK(val != 4, "inner1", "got %d != exp %d\n", val, 4);
bpf_map_lookup_elem(map2_fd, &key, &val);
CHECK(val != 3, "inner2", "got %d != exp %d\n", val, 3);
bpf_map_lookup_elem(map4_fd, &key, &val);
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
/* inner5 = input + 2 */
bpf_map_update_elem(outer_arr_dyn_fd, &key, &map5_fd, 0);
skel->bss->input = 5;
usleep(1);
bpf_map_lookup_elem(map5_fd, &key, &val);
CHECK(val != 7, "inner5", "got %d != exp %d\n", val, 7);
for (i = 0; i < 5; i++) {
val = i % 2 ? map1_fd : map2_fd;
Reported by FlawFinder.
tools/testing/selftests/sgx/load.c
3 issues
Line: 168
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
ptr = mmap(NULL, PAGE_SIZE, PROT_EXEC, MAP_SHARED, fd, 0);
if (ptr == (void *)-1) {
fprintf(stderr, ERR_MSG);
goto err;
}
munmap(ptr, PAGE_SIZE);
encl->fd = fd;
Reported by FlawFinder.
Line: 46
Column: 7
CWE codes:
362
int ret;
int fd;
fd = open(path, O_RDONLY);
if (fd == -1) {
perror("enclave executable open()");
return false;
}
Reported by FlawFinder.
Line: 141
Column: 7
CWE codes:
362
memset(encl, 0, sizeof(*encl));
fd = open(device_path, O_RDWR);
if (fd < 0) {
perror("Unable to open /dev/sgx_enclave");
goto err;
}
Reported by FlawFinder.