The following issues were found
fs/ufs/namei.c
2 issues
Line: 137
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fast symlink */
inode->i_op = &simple_symlink_inode_operations;
inode->i_link = (char *)UFS_I(inode)->i_u1.i_symlink;
memcpy(inode->i_link, symname, l);
inode->i_size = l-1;
}
mark_inode_dirty(inode);
return ufs_add_nondir(dentry, inode);
Reported by FlawFinder.
Line: 114
Column: 15
CWE codes:
126
{
struct super_block * sb = dir->i_sb;
int err;
unsigned l = strlen(symname)+1;
struct inode * inode;
if (l > sb->s_blocksize)
return -ENAMETOOLONG;
Reported by FlawFinder.
fs/ufs/util.c
2 issues
Line: 158
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bhno = 0;
while (size) {
len = min_t(unsigned int, size, uspi->s_fsize);
memcpy (mem, ubh->bh[bhno]->b_data, len);
mem += uspi->s_fsize;
size -= len;
bhno++;
}
}
Reported by FlawFinder.
Line: 174
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bhno = 0;
while (size) {
len = min_t(unsigned int, size, uspi->s_fsize);
memcpy (ubh->bh[bhno]->b_data, mem, len);
mem += uspi->s_fsize;
size -= len;
bhno++;
}
}
Reported by FlawFinder.
fs/unicode/utf8-core.c
2 issues
Line: 177
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int *min, unsigned int *rev)
{
substring_t args[3];
char version_string[12];
static const struct match_token token[] = {
{1, "%d.%d.%d"},
{0, NULL}
};
Reported by FlawFinder.
Line: 183
Column: 2
CWE codes:
120
{0, NULL}
};
strncpy(version_string, version, sizeof(version_string));
if (match_token(version_string, token, args) != 1)
return -EINVAL;
if (match_int(&args[0], maj) || match_int(&args[1], min) ||
Reported by FlawFinder.
fs/verity/signature.c
2 issues
Line: 60
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL);
if (!d)
return -ENOMEM;
memcpy(d->magic, "FSVerity", 8);
d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
d->digest_size = cpu_to_le16(hash_alg->digest_size);
memcpy(d->digest, vi->file_digest, hash_alg->digest_size);
err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(d->magic, "FSVerity", 8);
d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
d->digest_size = cpu_to_le16(hash_alg->digest_size);
memcpy(d->digest, vi->file_digest, hash_alg->digest_size);
err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
signature, sig_size, fsverity_keyring,
VERIFYING_UNSPECIFIED_SIGNATURE,
NULL, NULL);
Reported by FlawFinder.
fs/xfs/libxfs/xfs_attr_remote.c
2 issues
Line: 310
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr_size = sizeof(struct xfs_attr3_rmt_hdr);
}
memcpy(*dst, src + hdr_size, byte_cnt);
/* roll buffer forwards */
len -= blksize;
src += blksize;
bno += BTOBB(blksize);
Reported by FlawFinder.
Line: 349
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr_size = xfs_attr3_rmt_hdr_set(mp, dst, ino, *offset,
byte_cnt, bno);
memcpy(dst + hdr_size, *src, byte_cnt);
/*
* If this is the last block, zero the remainder of it.
* Check that we are actually the last block, too.
*/
Reported by FlawFinder.
fs/xfs/libxfs/xfs_btree_staging.c
2 issues
Line: 143
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ASSERT(cur->bc_tp == NULL);
nops = kmem_alloc(sizeof(struct xfs_btree_ops), KM_NOFS);
memcpy(nops, cur->bc_ops, sizeof(struct xfs_btree_ops));
nops->alloc_block = xfs_btree_fakeroot_alloc_block;
nops->free_block = xfs_btree_fakeroot_free_block;
nops->init_ptr_from_cur = xfs_btree_fakeroot_init_ptr_from_cur;
nops->set_root = xfs_btree_afakeroot_set_root;
nops->dup_cursor = xfs_btree_fakeroot_dup_cursor;
Reported by FlawFinder.
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ASSERT(cur->bc_tp == NULL);
nops = kmem_alloc(sizeof(struct xfs_btree_ops), KM_NOFS);
memcpy(nops, cur->bc_ops, sizeof(struct xfs_btree_ops));
nops->alloc_block = xfs_btree_fakeroot_alloc_block;
nops->free_block = xfs_btree_fakeroot_free_block;
nops->init_ptr_from_cur = xfs_btree_fakeroot_init_ptr_from_cur;
nops->dup_cursor = xfs_btree_fakeroot_dup_cursor;
Reported by FlawFinder.
fs/xfs/libxfs/xfs_log_format.h
2 issues
Line: 187
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef union xlog_in_core2 {
xlog_rec_header_t hic_header;
xlog_rec_ext_header_t hic_xheader;
char hic_sector[XLOG_HEADER_SIZE];
} xlog_in_core_2_t;
/* not an on-disk structure, but needed by log recovery in userspace */
typedef struct xfs_log_iovec {
void *i_addr; /* beginning address of region */
Reported by FlawFinder.
Line: 818
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short qf_type; /* quotaoff log item type */
unsigned short qf_size; /* size of this item */
unsigned int qf_flags; /* USR and/or GRP */
char qf_pad[12]; /* padding for future */
} xfs_qoff_logformat_t;
/*
* Disk quotas status in m_qflags, and also sb_qflags. 16 bits.
*/
Reported by FlawFinder.
fs/xfs/libxfs/xfs_symlink_remote.c
2 issues
Line: 178
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!xfs_sb_version_hascrc(&mp->m_sb)) {
bp->b_ops = NULL;
memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes);
xfs_trans_log_buf(tp, bp, 0, ifp->if_bytes - 1);
return;
}
/*
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = bp->b_addr;
buf += xfs_symlink_hdr_set(mp, ip->i_ino, 0, ifp->if_bytes, bp);
memcpy(buf, ifp->if_u1.if_data, ifp->if_bytes);
xfs_trans_log_buf(tp, bp, 0, sizeof(struct xfs_dsymlink_hdr) +
ifp->if_bytes - 1);
}
/*
Reported by FlawFinder.
fs/xfs/scrub/btree.c
2 issues
Line: 147
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!bs->firstrec && !cur->bc_ops->recs_inorder(cur, &bs->lastrec, rec))
xchk_btree_set_corrupt(bs->sc, cur, 0);
bs->firstrec = false;
memcpy(&bs->lastrec, rec, cur->bc_ops->rec_len);
if (cur->bc_nlevels == 1)
return;
/* Is this at least as large as the parent low key? */
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
!cur->bc_ops->keys_inorder(cur, &bs->lastkey[level], key))
xchk_btree_set_corrupt(bs->sc, cur, level);
bs->firstkey[level] = false;
memcpy(&bs->lastkey[level], key, cur->bc_ops->key_len);
if (level + 1 >= cur->bc_nlevels)
return;
/* Is this at least as large as the parent low key? */
Reported by FlawFinder.
fs/xfs/xfs_acl.c
2 issues
Line: 152
Column: 17
CWE codes:
126
default:
BUG();
}
args.namelen = strlen(args.name);
/*
* If the attribute doesn't exist make sure we have a negative cache
* entry, for any other error assume it is transient.
*/
Reported by FlawFinder.
Line: 192
Column: 17
CWE codes:
126
default:
return -EINVAL;
}
args.namelen = strlen(args.name);
if (acl) {
args.valuelen = XFS_ACL_SIZE(acl->a_count);
args.value = kvzalloc(args.valuelen, GFP_KERNEL);
if (!args.value)
Reported by FlawFinder.