The following issues were found

fs/overlayfs/copy_up.c
2 issues
sprintf - Does not check for buffer overflows
Security

Line: 33 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf 

              
static int ovl_ccup_get(char *buf, const struct kernel_param *param)
{
	return sprintf(buf, "N\n");
}

module_param_call(check_copy_up, ovl_ccup_set, ovl_ccup_get, NULL, 0644);
MODULE_PARM_DESC(check_copy_up, "Obsolete; does nothing");

Reported by FlawFinder.

tmpfile - Function tmpfile() has a security flaw on some systems (e.g., older System V systems)
Security

Line: 747 Column: 36 CWE codes: 377 

              	}

	/* Should we copyup with O_TMPFILE or with workdir? */
	if (S_ISREG(c->stat.mode) && ofs->tmpfile)
		err = ovl_copy_up_tmpfile(c);
	else
		err = ovl_copy_up_workdir(c);
	if (err)
		goto out;

Reported by FlawFinder.

fs/proc/consoles.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 28 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              		{ CON_BRL,		'b' },
		{ CON_ANYTIME,		'a' },
	};
	char flags[ARRAY_SIZE(con_flags) + 1];
	struct console *con = v;
	unsigned int a;
	dev_t dev = 0;

	if (con->device) {

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 51 Column: 36 CWE codes: 120 20 

              	seq_setwidth(m, 21 - 1);
	seq_printf(m, "%s%d", con->name, con->index);
	seq_pad(m, ' ');
	seq_printf(m, "%c%c%c (%s)", con->read ? 'R' : '-',
			con->write ? 'W' : '-', con->unblank ? 'U' : '-',
			flags);
	if (dev)
		seq_printf(m, " %4d:%d", MAJOR(dev), MINOR(dev));

Reported by FlawFinder.

fs/quota/dquot.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 1954 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              	qsize_t inode_usage = 1;
	struct dquot *transfer_from[MAXQUOTAS] = {};
	int cnt, ret = 0;
	char is_valid[MAXQUOTAS] = {};
	struct dquot_warn warn_to[MAXQUOTAS];
	struct dquot_warn warn_from_inodes[MAXQUOTAS];
	struct dquot_warn warn_from_space[MAXQUOTAS];

	if (IS_NOQUOTA(inode))

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 2490 Column: 57 CWE codes: 126 

              	struct dentry *dentry;
	int error;

	dentry = lookup_positive_unlocked(qf_name, sb->s_root, strlen(qf_name));
	if (IS_ERR(dentry))
		return PTR_ERR(dentry);

	error = security_quota_on(dentry);
	if (!error)

Reported by FlawFinder.

fs/reiserfs/procfs.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 410 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
int reiserfs_proc_info_init(struct super_block *sb)
{
	char b[BDEVNAME_SIZE];
	char *s;

	/* Some block devices use /'s */
	strlcpy(b, sb->s_id, BDEVNAME_SIZE);
	s = strchr(b, '/');

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 440 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              {
	struct proc_dir_entry *de = REISERFS_SB(sb)->procdir;
	if (de) {
		char b[BDEVNAME_SIZE];
		char *s;

		/* Some block devices use /'s */
		strlcpy(b, sb->s_id, BDEVNAME_SIZE);
		s = strchr(b, '/');

Reported by FlawFinder.

fs/reiserfs/stree.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 33 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              inline void copy_item_head(struct item_head *to,
			   const struct item_head *from)
{
	memcpy(to, from, IH_SIZE);
}

/*
 * k1 is pointer to on-disk structure which is stored in little-endian
 * form. k2 is pointer to cpu variable. For key of items of the same

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 1364 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
		data = kmap_atomic(un_bh->b_page);
		off = ((le_ih_k_offset(&s_ih) - 1) & (PAGE_SIZE - 1));
		memcpy(data + off,
		       ih_item_body(PATH_PLAST_BUFFER(path), &s_ih),
		       ret_value);
		kunmap_atomic(data);
	}

Reported by FlawFinder.

fs/squashfs/cache.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 310 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              				PAGE_SIZE - (offset % PAGE_SIZE));

		if (bytes >= remaining) {
			memcpy(buffer, buff, remaining);
			remaining = 0;
			break;
		}

		memcpy(buffer, buff, bytes);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 315 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			break;
		}

		memcpy(buffer, buff, bytes);
		buffer += bytes;
		remaining -= bytes;
		offset += bytes;
	}

Reported by FlawFinder.

fs/stat.c
2 issues
readlink - This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL.
Security

Line: 433 Column: 49 CWE codes: 362 20
Suggestion: Reconsider approach 

              		/*
		 * AFS mountpoints allow readlink(2) but are not symlinks
		 */
		if (d_is_symlink(path.dentry) || inode->i_op->readlink) {
			error = security_inode_readlink(path.dentry);
			if (!error) {
				touch_atime(&path);
				error = vfs_readlink(path.dentry, buf, bufsiz);
			}

Reported by FlawFinder.

readlink - This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL.
Security

Line: 455 Column: 17 CWE codes: 362 20
Suggestion: Reconsider approach 

              	return do_readlinkat(dfd, pathname, buf, bufsiz);
}

SYSCALL_DEFINE3(readlink, const char __user *, path, char __user *, buf,
		int, bufsiz)
{
	return do_readlinkat(AT_FDCWD, path, buf, bufsiz);
}

Reported by FlawFinder.

fs/statfs.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 131 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	struct statfs buf;

	if (sizeof(buf) == sizeof(*st))
		memcpy(&buf, st, sizeof(*st));
	else {
		if (sizeof buf.f_blocks == 4) {
			if ((st->f_blocks | st->f_bfree | st->f_bavail |
			     st->f_bsize | st->f_frsize) &
			    0xffffffff00000000ULL)

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 172 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              {
	struct statfs64 buf;
	if (sizeof(buf) == sizeof(*st))
		memcpy(&buf, st, sizeof(*st));
	else {
		buf.f_type = st->f_type;
		buf.f_bsize = st->f_bsize;
		buf.f_blocks = st->f_blocks;
		buf.f_bfree = st->f_bfree;

Reported by FlawFinder.

fs/sysv/balloc.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 86 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		}
		memset(bh->b_data, 0, sb->s_blocksize);
		*(__fs16*)bh->b_data = cpu_to_fs16(sbi, count);
		memcpy(get_chunk(sb,bh), blocks, count * sizeof(sysv_zone_t));
		mark_buffer_dirty(bh);
		set_buffer_uptodate(bh);
		brelse(bh);
		count = 0;
	}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 144 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			goto Enospc;
		}
		*sbi->s_bcache_count = cpu_to_fs16(sbi, count);
		memcpy(sbi->s_bcache, get_chunk(sb, bh),
				count * sizeof(sysv_zone_t));
		brelse(bh);
	}
	/* Now the free list head in the superblock is valid again. */
	fs32_add(sbi, sbi->s_free_blocks, -1);

Reported by FlawFinder.

fs/tracefs/inode.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 65 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	name = kmalloc(len + 1, GFP_KERNEL);
	if (!name)
		return NULL;
	memcpy(name, dname, len);
	name[len] = 0;
	return name;
}

static int tracefs_syscall_mkdir(struct user_namespace *mnt_userns,

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 338 Column: 41 CWE codes: 126 

              	if (unlikely(IS_DEADDIR(parent->d_inode)))
		dentry = ERR_PTR(-ENOENT);
	else
		dentry = lookup_one_len(name, parent, strlen(name));
	if (!IS_ERR(dentry) && dentry->d_inode) {
		dput(dentry);
		dentry = ERR_PTR(-EEXIST);
	}

Reported by FlawFinder.