The following issues were found
samples/vfs/test-fsmount.c
2 issues
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void check_messages(int fd)
{
char buf[4096];
int err, n;
err = errno;
for (;;) {
Reported by FlawFinder.
security/keys/persistent.c
2 issues
Line: 79
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct keyring_index_key index_key;
struct key *persistent;
key_ref_t reg_ref, persistent_ref;
char buf[32];
long ret;
/* Look in the register if it exists */
memset(&index_key, 0, sizeof(index_key));
index_key.type = &key_type_keyring;
Reported by FlawFinder.
Line: 86
Column: 23
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
memset(&index_key, 0, sizeof(index_key));
index_key.type = &key_type_keyring;
index_key.description = buf;
index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
key_set_index_key(&index_key);
if (ns->persistent_keyring_register) {
reg_ref = make_key_ref(ns->persistent_keyring_register, true);
down_read(&ns->keyring_sem);
Reported by FlawFinder.
samples/rpmsg/rpmsg_client_sample.c
2 issues
Line: 44
Column: 36
CWE codes:
126
}
/* send a new message now */
ret = rpmsg_send(rpdev->ept, MSG, strlen(MSG));
if (ret)
dev_err(&rpdev->dev, "rpmsg_send failed: %d\n", ret);
return 0;
}
Reported by FlawFinder.
Line: 66
Column: 36
CWE codes:
126
dev_set_drvdata(&rpdev->dev, idata);
/* send a message to our remote processor */
ret = rpmsg_send(rpdev->ept, MSG, strlen(MSG));
if (ret) {
dev_err(&rpdev->dev, "rpmsg_send failed: %d\n", ret);
return ret;
}
Reported by FlawFinder.
security/keys/process_keys.c
2 issues
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
key_perm_t user_keyring_perm;
key_ref_t uid_keyring_r, session_keyring_r;
uid_t uid = from_kuid(user_ns, cred->user->uid);
char buf[20];
int ret;
user_keyring_perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL;
kenter("%u", uid);
Reported by FlawFinder.
Line: 189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct key *reg_keyring = READ_ONCE(cred->user_ns->user_keyring_register);
key_ref_t session_keyring_r;
char buf[20];
struct keyring_search_context ctx = {
.index_key.type = &key_type_keyring,
.index_key.description = buf,
.cred = cred,
Reported by FlawFinder.
net/rose/rose_dev.c
2 issues
Line: 42
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char *buff = skb_push(skb, ROSE_MIN_LEN + 2);
if (daddr)
memcpy(buff + 7, daddr, dev->addr_len);
*buff++ = ROSE_GFI | ROSE_Q_BIT;
*buff++ = 0x00;
*buff++ = ROSE_DATA;
*buff++ = 0x7F;
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rose_del_loopback_node((rose_address *)dev->dev_addr);
}
memcpy(dev->dev_addr, sa->sa_data, dev->addr_len);
return 0;
}
static int rose_open(struct net_device *dev)
Reported by FlawFinder.
samples/landlock/sandboxer.c
2 issues
Line: 89
Column: 18
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
.parent_fd = -1,
};
env_path_name = getenv(env_var);
if (!env_path_name) {
/* Prevents users to forget a setting. */
fprintf(stderr, "Missing environment variable %s\n", env_var);
return 1;
}
Reported by FlawFinder.
Line: 110
Column: 28
CWE codes:
362
for (i = 0; i < num_paths; i++) {
struct stat statbuf;
path_beneath.parent_fd = open(path_list[i], O_PATH |
O_CLOEXEC);
if (path_beneath.parent_fd < 0) {
fprintf(stderr, "Failed to open \"%s\": %s\n",
path_list[i],
strerror(errno));
Reported by FlawFinder.
security/keys/user_defined.c
2 issues
Line: 75
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prep->quotalen = datalen;
prep->payload.data[0] = upayload;
upayload->datalen = datalen;
memcpy(upayload->data, prep->data, datalen);
return 0;
}
EXPORT_SYMBOL_GPL(user_preparse);
/*
Reported by FlawFinder.
Line: 184
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buflen > upayload->datalen)
buflen = upayload->datalen;
memcpy(buffer, upayload->data, buflen);
}
return ret;
}
Reported by FlawFinder.
security/landlock/ruleset.h
2 issues
Line: 31
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* @access: Bitfield of allowed actions on the kernel object. They are
* relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ).
*/
u16 access;
};
/**
* struct landlock_rule - Access rights tied to an object
*/
Reported by FlawFinder.
Line: 149
Column: 51
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
int landlock_insert_rule(struct landlock_ruleset *const ruleset,
struct landlock_object *const object, const u32 access);
struct landlock_ruleset *landlock_merge_ruleset(
struct landlock_ruleset *const parent,
struct landlock_ruleset *const ruleset);
Reported by FlawFinder.
security/loadpin/loadpin.c
2 issues
Line: 42
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
static char *exclude_read_files[READING_MAX_ID];
static int ignore_read_file_id[READING_MAX_ID] __ro_after_init;
static struct super_block *pinned_root;
static DEFINE_SPINLOCK(pinned_root_spinlock);
#ifdef CONFIG_SYSCTL
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* device, allow sysctl to change modes for testing.
*/
if (mnt_sb->s_bdev) {
char bdev[BDEVNAME_SIZE];
ro = bdev_read_only(mnt_sb->s_bdev);
bdevname(mnt_sb->s_bdev, bdev);
pr_info("%s (%u:%u): %s\n", bdev,
MAJOR(mnt_sb->s_bdev->bd_dev),
Reported by FlawFinder.
sound/usb/6fire/control.c
2 issues
Line: 24
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "comm.h"
#include "chip.h"
static const char * const opt_coax_texts[2] = { "Optical", "Coax" };
static const char * const line_phono_texts[2] = { "Line", "Phono" };
/*
* data that needs to be sent to device. sets up card internal stuff.
* values dumped from windows driver and filtered by trial'n'error.
Reported by FlawFinder.
Line: 25
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "chip.h"
static const char * const opt_coax_texts[2] = { "Optical", "Coax" };
static const char * const line_phono_texts[2] = { "Line", "Phono" };
/*
* data that needs to be sent to device. sets up card internal stuff.
* values dumped from windows driver and filtered by trial'n'error.
*/
Reported by FlawFinder.