The following issues were found
drivers/misc/mei/hdcp/mei_hdcp.c
17 issues
Line: 87
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ake_data->msg_id = HDCP_2_2_AKE_INIT;
ake_data->tx_caps = session_init_out.tx_caps;
memcpy(ake_data->r_tx, session_init_out.r_tx, HDCP_2_2_RTX_LEN);
return 0;
}
/**
Reported by FlawFinder.
Line: 134
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
verify_rxcert_in.port.attached_transcoder = (u8)data->fw_tc;
verify_rxcert_in.cert_rx = rx_cert->cert_rx;
memcpy(verify_rxcert_in.r_rx, &rx_cert->r_rx, HDCP_2_2_RRX_LEN);
memcpy(verify_rxcert_in.rx_caps, rx_cert->rx_caps, HDCP_2_2_RXCAPS_LEN);
byte = mei_cldev_send(cldev, (u8 *)&verify_rxcert_in,
sizeof(verify_rxcert_in));
if (byte < 0) {
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
verify_rxcert_in.cert_rx = rx_cert->cert_rx;
memcpy(verify_rxcert_in.r_rx, &rx_cert->r_rx, HDCP_2_2_RRX_LEN);
memcpy(verify_rxcert_in.rx_caps, rx_cert->rx_caps, HDCP_2_2_RXCAPS_LEN);
byte = mei_cldev_send(cldev, (u8 *)&verify_rxcert_in,
sizeof(verify_rxcert_in));
if (byte < 0) {
dev_dbg(dev, "mei_cldev_send failed: %zd\n", byte);
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*msg_sz = sizeof(struct hdcp2_ake_no_stored_km);
}
memcpy(ek_pub_km->e_kpub_km, &verify_rxcert_out.ekm_buff,
sizeof(verify_rxcert_out.ekm_buff));
return 0;
}
Reported by FlawFinder.
Line: 204
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
send_hprime_in.port.physical_port = (u8)data->fw_ddi;
send_hprime_in.port.attached_transcoder = (u8)data->fw_tc;
memcpy(send_hprime_in.h_prime, rx_hprime->h_prime,
HDCP_2_2_H_PRIME_LEN);
byte = mei_cldev_send(cldev, (u8 *)&send_hprime_in,
sizeof(send_hprime_in));
if (byte < 0) {
Reported by FlawFinder.
Line: 262
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pairing_info_in.port.physical_port = (u8)data->fw_ddi;
pairing_info_in.port.attached_transcoder = (u8)data->fw_tc;
memcpy(pairing_info_in.e_kh_km, pairing_info->e_kh_km,
HDCP_2_2_E_KH_KM_LEN);
byte = mei_cldev_send(cldev, (u8 *)&pairing_info_in,
sizeof(pairing_info_in));
if (byte < 0) {
Reported by FlawFinder.
Line: 340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
lc_init_data->msg_id = HDCP_2_2_LC_INIT;
memcpy(lc_init_data->r_n, lc_init_out.r_n, HDCP_2_2_RN_LEN);
return 0;
}
/**
Reported by FlawFinder.
Line: 377
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
verify_lprime_in.port.physical_port = (u8)data->fw_ddi;
verify_lprime_in.port.attached_transcoder = (u8)data->fw_tc;
memcpy(verify_lprime_in.l_prime, rx_lprime->l_prime,
HDCP_2_2_L_PRIME_LEN);
byte = mei_cldev_send(cldev, (u8 *)&verify_lprime_in,
sizeof(verify_lprime_in));
if (byte < 0) {
Reported by FlawFinder.
Line: 455
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ske_data->msg_id = HDCP_2_2_SKE_SEND_EKS;
memcpy(ske_data->e_dkey_ks, get_skey_out.e_dkey_ks,
HDCP_2_2_E_DKEY_KS_LEN);
memcpy(ske_data->riv, get_skey_out.r_iv, HDCP_2_2_RIV_LEN);
return 0;
}
Reported by FlawFinder.
Line: 457
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ske_data->msg_id = HDCP_2_2_SKE_SEND_EKS;
memcpy(ske_data->e_dkey_ks, get_skey_out.e_dkey_ks,
HDCP_2_2_E_DKEY_KS_LEN);
memcpy(ske_data->riv, get_skey_out.r_iv, HDCP_2_2_RIV_LEN);
return 0;
}
/**
Reported by FlawFinder.
tools/power/cpupower/utils/idle_monitor/cpuidle_sysfs.c
17 issues
Line: 85
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!strncmp(tmp, "NHM-", 4)) {
switch (num) {
case 1:
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
Reported by FlawFinder.
Line: 88
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
}
Reported by FlawFinder.
Line: 91
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
}
} else if (!strncmp(tmp, "SNB-", 4)) {
switch (num) {
case 1:
Reported by FlawFinder.
Line: 97
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else if (!strncmp(tmp, "SNB-", 4)) {
switch (num) {
case 1:
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
Reported by FlawFinder.
Line: 100
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
case 4:
Reported by FlawFinder.
Line: 103
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C3");
break;
case 3:
strcpy(tmp, "C6");
break;
case 4:
strcpy(tmp, "C7");
break;
}
Reported by FlawFinder.
Line: 106
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C6");
break;
case 4:
strcpy(tmp, "C7");
break;
}
} else if (!strncmp(tmp, "ATM-", 4)) {
switch (num) {
case 1:
Reported by FlawFinder.
Line: 112
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
} else if (!strncmp(tmp, "ATM-", 4)) {
switch (num) {
case 1:
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C2");
break;
case 3:
Reported by FlawFinder.
Line: 115
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C1");
break;
case 2:
strcpy(tmp, "C2");
break;
case 3:
strcpy(tmp, "C4");
break;
case 4:
Reported by FlawFinder.
Line: 118
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(tmp, "C2");
break;
case 3:
strcpy(tmp, "C4");
break;
case 4:
strcpy(tmp, "C6");
break;
}
Reported by FlawFinder.
drivers/misc/habanalabs/common/sysfs.c
17 issues
Line: 119
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", hdev->asic_prop.uboot_ver);
}
static ssize_t armcp_kernel_ver_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 127
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s", hdev->asic_prop.cpucp_info.kernel_version);
}
static ssize_t armcp_ver_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 135
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", hdev->asic_prop.cpucp_info.cpucp_version);
}
static ssize_t cpld_ver_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 152
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s", hdev->asic_prop.cpucp_info.kernel_version);
}
static ssize_t cpucp_ver_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 160
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", hdev->asic_prop.cpucp_info.cpucp_version);
}
static ssize_t infineon_ver_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 177
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", hdev->asic_prop.cpucp_info.fuse_version);
}
static ssize_t thermal_ver_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 185
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s", hdev->asic_prop.cpucp_info.thermal_version);
}
static ssize_t preboot_btl_ver_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 193
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct hl_device *hdev = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", hdev->asic_prop.preboot_ver);
}
static ssize_t soft_reset_store(struct device *dev,
struct device_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
Line: 269
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EINVAL;
}
return sprintf(buf, "%s\n", str);
}
static ssize_t pci_addr_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 299
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else
str = "Operational";
return sprintf(buf, "%s\n", str);
}
static ssize_t soft_reset_cnt_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
tools/bpf/bpftool/gen.c
17 issues
Line: 130
DECLARE_LIBBPF_OPTS(btf_dump_emit_type_decl_opts, opts,
.field_name = var_ident,
.indent_level = 2,
.strip_mods = strip_mods,
);
int need_off = sec_var->offset, align_off, align;
__u32 var_type_id = var->type;
/* static variables are not exposed through BPF skeleton */
Reported by Cppcheck.
Line: 178
Column: 3
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
* which we'll turn into a '<function name>_<variable name>'
*/
var_ident[0] = '\0';
strncat(var_ident, var_name, sizeof(var_ident) - 1);
sanitize_identifier(var_ident);
printf("\t\t");
err = btf_dump__emit_type_decl(d, var_type_id, &opts);
if (err)
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int i;
sprintf(guard, "__%s_SKEL_H__", obj_name);
for (i = 0; guard[i]; i++)
guard[i] = toupper(guard[i]);
}
static const char *get_map_ident(const struct bpf_map *map)
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
static void codegen_btf_dump_printf(void *ctx, const char *fmt, va_list args)
{
vprintf(fmt, args);
}
static int codegen_datasec_def(struct bpf_object *obj,
struct btf *btf,
struct btf_dump *d,
Reported by FlawFinder.
Line: 272
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* print out using adjusted template */
va_start(args, template);
n = vprintf(s, args);
va_end(args);
free(s);
}
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct btf_var_secinfo *sec_var = btf_var_secinfos(sec);
int i, err, off = 0, pad_cnt = 0, vlen = btf_vlen(sec);
const char *sec_ident;
char var_ident[256];
bool strip_mods = false;
if (strcmp(sec_name, ".data") == 0) {
sec_ident = "data";
strip_mods = true;
Reported by FlawFinder.
Line: 262
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
end = strchrnul(src, '\n');
for (n = end - src; n > 0 && isspace(src[n - 1]); n--)
;
memcpy(dst, src, n);
dst += n;
if (*end)
*dst++ = '\n';
src = *end ? end + 1 : end;
}
Reported by FlawFinder.
Line: 601
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_skeleton(int argc, char **argv)
{
char header_guard[MAX_OBJ_NAME_LEN + sizeof("__SKEL_H__")];
size_t i, map_cnt = 0, prog_cnt = 0, file_sz, mmap_sz;
DECLARE_LIBBPF_OPTS(bpf_object_open_opts, opts);
char obj_name[MAX_OBJ_NAME_LEN] = "", *obj_data;
struct bpf_object *obj = NULL;
const char *file, *ident;
Reported by FlawFinder.
Line: 604
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char header_guard[MAX_OBJ_NAME_LEN + sizeof("__SKEL_H__")];
size_t i, map_cnt = 0, prog_cnt = 0, file_sz, mmap_sz;
DECLARE_LIBBPF_OPTS(bpf_object_open_opts, opts);
char obj_name[MAX_OBJ_NAME_LEN] = "", *obj_data;
struct bpf_object *obj = NULL;
const char *file, *ident;
struct bpf_program *prog;
int fd, err = -1;
struct bpf_map *map;
Reported by FlawFinder.
Line: 652
Column: 7
CWE codes:
362
}
file_sz = st.st_size;
mmap_sz = roundup(file_sz, sysconf(_SC_PAGE_SIZE));
fd = open(file, O_RDONLY);
if (fd < 0) {
p_err("failed to open() %s: %s", file, strerror(errno));
return -1;
}
obj_data = mmap(NULL, mmap_sz, PROT_READ, MAP_PRIVATE, fd, 0);
Reported by FlawFinder.
tools/power/acpi/tools/acpidbg/acpidbg.c
17 issues
Line: 59
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
do { \
_ret = acpi_aml_##_op(_fd, &acpi_aml_##_buf##_crc); \
if (_ret == 0) { \
fprintf(stderr, \
"%s %s pipe closed.\n", #_buf, #_op); \
return; \
} \
} while (0)
#define ACPI_AML_BATCH_DO(_fd, _op, _buf, _ret) \
Reported by FlawFinder.
Line: 386
Column: 15
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int len;
int ret = EXIT_SUCCESS;
while ((ch = getopt(argc, argv, "b:f:h")) != -1) {
switch (ch) {
case 'b':
if (acpi_aml_batch_cmd) {
fprintf(stderr, "Already specify %s\n",
acpi_aml_batch_cmd);
Reported by FlawFinder.
Line: 73
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} while (0)
static char acpi_aml_cmd_buf[ACPI_AML_BUF_SIZE];
static char acpi_aml_log_buf[ACPI_AML_BUF_SIZE];
static struct circ_buf acpi_aml_cmd_crc = {
.buf = acpi_aml_cmd_buf,
.head = 0,
.tail = 0,
Reported by FlawFinder.
Line: 74
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char acpi_aml_cmd_buf[ACPI_AML_BUF_SIZE];
static char acpi_aml_log_buf[ACPI_AML_BUF_SIZE];
static struct circ_buf acpi_aml_cmd_crc = {
.buf = acpi_aml_cmd_buf,
.head = 0,
.tail = 0,
};
Reported by FlawFinder.
Line: 147
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = &crc->buf[crc->head];
len = circ_space_to_end(crc);
if (len > remained) {
memcpy(p, acpi_aml_batch_pos, remained);
acpi_aml_batch_pos += remained;
len = remained;
} else {
memcpy(p, acpi_aml_batch_pos, len);
acpi_aml_batch_pos += len;
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acpi_aml_batch_pos += remained;
len = remained;
} else {
memcpy(p, acpi_aml_batch_pos, len);
acpi_aml_batch_pos += len;
}
if (len > 0)
crc->head = (crc->head + len) & (ACPI_AML_BUF_SIZE - 1);
return len;
Reported by FlawFinder.
Line: 402
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = EXIT_FAILURE;
goto exit;
}
memcpy(acpi_aml_batch_cmd, optarg, len);
acpi_aml_batch_cmd[len] = '\n';
acpi_aml_mode = ACPI_AML_BATCH;
break;
case 'f':
acpi_aml_file_path = optarg;
Reported by FlawFinder.
Line: 422
Column: 7
CWE codes:
362
}
}
fd = open(acpi_aml_file_path, O_RDWR | O_NONBLOCK);
if (fd < 0) {
perror("open");
ret = EXIT_FAILURE;
goto exit;
}
Reported by FlawFinder.
Line: 130
Column: 8
CWE codes:
120
20
p = &crc->buf[crc->head];
len = circ_space_to_end(crc);
len = read(fd, p, len);
if (len < 0)
perror("read");
else if (len > 0)
crc->head = (crc->head + len) & (ACPI_AML_BUF_SIZE - 1);
return len;
Reported by FlawFinder.
Line: 142
Column: 17
CWE codes:
126
{
char *p;
int len;
int remained = strlen(acpi_aml_batch_pos);
p = &crc->buf[crc->head];
len = circ_space_to_end(crc);
if (len > remained) {
memcpy(p, acpi_aml_batch_pos, remained);
Reported by FlawFinder.
drivers/scsi/libsas/sas_expander.c
17 issues
Line: 233
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* check if anything important changed to squelch debug */
dev_type = phy->attached_dev_type;
linkrate = phy->linkrate;
memcpy(sas_addr, phy->attached_sas_addr, SAS_ADDR_SIZE);
/* Handle vacant phy - rest of dr data is not valid so skip it */
if (phy->phy_state == PHY_VACANT) {
memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
phy->attached_dev_type = SAS_PHY_UNUSED;
Reported by FlawFinder.
Line: 263
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy->linkrate < SAS_LINK_RATE_1_5_GBPS)
memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
else
memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE);
phy->attached_phy_id = dr->attached_phy_id;
phy->phy_change_count = dr->change_count;
phy->routing_attr = dr->routing_attr;
phy->virtual = dr->virtual;
phy->last_da_index = -1;
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->ex_dev.t2t_supp = rg->t2t_supp;
dev->ex_dev.conf_route_table = rg->conf_route_table;
dev->ex_dev.configuring = rg->configuring;
memcpy(dev->ex_dev.enclosure_logical_id, rg->enclosure_logical_id, 8);
}
#define RG_REQ_SIZE 8
#define RG_RESP_SIZE 32
Reported by FlawFinder.
Line: 522
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sas_rphy *rphy = dev->rphy;
struct sas_expander_device *edev = rphy_to_expander_device(rphy);
memcpy(edev->vendor_id, mi_resp + 12, SAS_EXPANDER_VENDOR_ID_LEN);
memcpy(edev->product_id, mi_resp + 20, SAS_EXPANDER_PRODUCT_ID_LEN);
memcpy(edev->product_rev, mi_resp + 36,
SAS_EXPANDER_PRODUCT_REV_LEN);
if (mi_resp[8] & 1) {
Reported by FlawFinder.
Line: 523
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sas_expander_device *edev = rphy_to_expander_device(rphy);
memcpy(edev->vendor_id, mi_resp + 12, SAS_EXPANDER_VENDOR_ID_LEN);
memcpy(edev->product_id, mi_resp + 20, SAS_EXPANDER_PRODUCT_ID_LEN);
memcpy(edev->product_rev, mi_resp + 36,
SAS_EXPANDER_PRODUCT_REV_LEN);
if (mi_resp[8] & 1) {
memcpy(edev->component_vendor_id, mi_resp + 40,
Reported by FlawFinder.
Line: 524
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(edev->vendor_id, mi_resp + 12, SAS_EXPANDER_VENDOR_ID_LEN);
memcpy(edev->product_id, mi_resp + 20, SAS_EXPANDER_PRODUCT_ID_LEN);
memcpy(edev->product_rev, mi_resp + 36,
SAS_EXPANDER_PRODUCT_REV_LEN);
if (mi_resp[8] & 1) {
memcpy(edev->component_vendor_id, mi_resp + 40,
SAS_EXPANDER_COMPONENT_VENDOR_ID_LEN);
Reported by FlawFinder.
Line: 528
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SAS_EXPANDER_PRODUCT_REV_LEN);
if (mi_resp[8] & 1) {
memcpy(edev->component_vendor_id, mi_resp + 40,
SAS_EXPANDER_COMPONENT_VENDOR_ID_LEN);
edev->component_id = mi_resp[48] << 8 | mi_resp[49];
edev->component_revision_id = mi_resp[50];
}
}
Reported by FlawFinder.
Line: 798
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
child->parent = parent;
child->port = parent->port;
child->iproto = phy->attached_iproto;
memcpy(child->sas_addr, phy->attached_sas_addr, SAS_ADDR_SIZE);
sas_hash_addr(child->hashed_sas_addr, child->sas_addr);
if (!phy->port) {
phy->port = sas_port_alloc(&parent->rphy->dev, phy_id);
if (unlikely(!phy->port))
goto out_err;
Reported by FlawFinder.
Line: 987
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
child->port = port;
child->iproto = phy->attached_iproto;
child->tproto = phy->attached_tproto;
memcpy(child->sas_addr, phy->attached_sas_addr, SAS_ADDR_SIZE);
sas_hash_addr(child->hashed_sas_addr, child->sas_addr);
sas_ex_get_linkrate(parent, child, phy);
edev->level = parent_ex->level + 1;
parent->port->disc.max_level = max(parent->port->disc.max_level,
edev->level);
Reported by FlawFinder.
Line: 1097
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sas_ex_disable_phy(dev, phy_id);
return res;
} else
memcpy(dev->port->disc.fanout_sas_addr,
ex_phy->attached_sas_addr, SAS_ADDR_SIZE);
fallthrough;
case SAS_EDGE_EXPANDER_DEVICE:
child = sas_ex_discover_expander(dev, phy_id);
break;
Reported by FlawFinder.
drivers/input/misc/ad714x.c
17 issues
Line: 134
Column: 10
CWE codes:
120
20
mask = ((1 << (end_stage + 1)) - 1) - ((1 << start_stage) - 1);
ad714x->read(ad714x, STG_COM_INT_EN_REG, &data, 1);
data |= 1 << end_stage;
ad714x->write(ad714x, STG_COM_INT_EN_REG, data);
ad714x->read(ad714x, STG_HIGH_INT_EN_REG, &data, 1);
data &= ~mask;
Reported by FlawFinder.
Line: 138
Column: 10
CWE codes:
120
20
data |= 1 << end_stage;
ad714x->write(ad714x, STG_COM_INT_EN_REG, data);
ad714x->read(ad714x, STG_HIGH_INT_EN_REG, &data, 1);
data &= ~mask;
ad714x->write(ad714x, STG_HIGH_INT_EN_REG, data);
}
static void ad714x_use_thr_int(struct ad714x_chip *ad714x,
Reported by FlawFinder.
Line: 151
Column: 10
CWE codes:
120
20
mask = ((1 << (end_stage + 1)) - 1) - ((1 << start_stage) - 1);
ad714x->read(ad714x, STG_COM_INT_EN_REG, &data, 1);
data &= ~(1 << end_stage);
ad714x->write(ad714x, STG_COM_INT_EN_REG, data);
ad714x->read(ad714x, STG_HIGH_INT_EN_REG, &data, 1);
data |= mask;
Reported by FlawFinder.
Line: 155
Column: 10
CWE codes:
120
20
data &= ~(1 << end_stage);
ad714x->write(ad714x, STG_COM_INT_EN_REG, data);
ad714x->read(ad714x, STG_HIGH_INT_EN_REG, &data, 1);
data |= mask;
ad714x->write(ad714x, STG_HIGH_INT_EN_REG, data);
}
static int ad714x_cal_highest_stage(struct ad714x_chip *ad714x,
Reported by FlawFinder.
Line: 253
Column: 10
CWE codes:
120
20
struct ad714x_slider_plat *hw = &ad714x->hw->slider[idx];
int i;
ad714x->read(ad714x, CDC_RESULT_S0 + hw->start_stage,
&ad714x->adc_reg[hw->start_stage],
hw->end_stage - hw->start_stage + 1);
for (i = hw->start_stage; i <= hw->end_stage; i++) {
ad714x->read(ad714x, STAGE0_AMBIENT + i * PER_STAGE_REG_NUM,
Reported by FlawFinder.
Line: 258
Column: 11
CWE codes:
120
20
hw->end_stage - hw->start_stage + 1);
for (i = hw->start_stage; i <= hw->end_stage; i++) {
ad714x->read(ad714x, STAGE0_AMBIENT + i * PER_STAGE_REG_NUM,
&ad714x->amb_reg[i], 1);
ad714x->sensor_val[i] =
abs(ad714x->adc_reg[i] - ad714x->amb_reg[i]);
}
Reported by FlawFinder.
Line: 425
Column: 10
CWE codes:
120
20
struct ad714x_wheel_plat *hw = &ad714x->hw->wheel[idx];
int i;
ad714x->read(ad714x, CDC_RESULT_S0 + hw->start_stage,
&ad714x->adc_reg[hw->start_stage],
hw->end_stage - hw->start_stage + 1);
for (i = hw->start_stage; i <= hw->end_stage; i++) {
ad714x->read(ad714x, STAGE0_AMBIENT + i * PER_STAGE_REG_NUM,
Reported by FlawFinder.
Line: 430
Column: 11
CWE codes:
120
20
hw->end_stage - hw->start_stage + 1);
for (i = hw->start_stage; i <= hw->end_stage; i++) {
ad714x->read(ad714x, STAGE0_AMBIENT + i * PER_STAGE_REG_NUM,
&ad714x->amb_reg[i], 1);
if (ad714x->adc_reg[i] > ad714x->amb_reg[i])
ad714x->sensor_val[i] =
ad714x->adc_reg[i] - ad714x->amb_reg[i];
else
Reported by FlawFinder.
Line: 579
Column: 10
CWE codes:
120
20
struct ad714x_touchpad_plat *hw = &ad714x->hw->touchpad[idx];
int i;
ad714x->read(ad714x, CDC_RESULT_S0 + hw->x_start_stage,
&ad714x->adc_reg[hw->x_start_stage],
hw->x_end_stage - hw->x_start_stage + 1);
for (i = hw->x_start_stage; i <= hw->x_end_stage; i++) {
ad714x->read(ad714x, STAGE0_AMBIENT + i * PER_STAGE_REG_NUM,
Reported by FlawFinder.
Line: 584
Column: 11
CWE codes:
120
20
hw->x_end_stage - hw->x_start_stage + 1);
for (i = hw->x_start_stage; i <= hw->x_end_stage; i++) {
ad714x->read(ad714x, STAGE0_AMBIENT + i * PER_STAGE_REG_NUM,
&ad714x->amb_reg[i], 1);
if (ad714x->adc_reg[i] > ad714x->amb_reg[i])
ad714x->sensor_val[i] =
ad714x->adc_reg[i] - ad714x->amb_reg[i];
else
Reported by FlawFinder.
kernel/bpf/btf.c
17 issues
Line: 5731
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct btf_show_snprintf *ssnprintf = (struct btf_show_snprintf *)show;
int len;
len = vsnprintf(show->target, ssnprintf->len_left, fmt, args);
if (len < 0) {
ssnprintf->len_left = 0;
ssnprintf->len = len;
} else if (len > ssnprintf->len_left) {
Reported by FlawFinder.
Line: 219
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct btf *base_btf;
u32 start_id; /* first type ID in this BTF (0 for base BTF) */
u32 start_str_off; /* first string offset (0 for base BTF) */
char name[MODULE_NAME_LEN];
bool kernel_btf;
};
enum verifier_phase {
CHECK_META,
Reported by FlawFinder.
Line: 266
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum resolve_mode resolve_mode;
};
static const char * const btf_kind_str[NR_BTF_KINDS] = {
[BTF_KIND_UNKN] = "UNKNOWN",
[BTF_KIND_INT] = "INT",
[BTF_KIND_PTR] = "PTR",
[BTF_KIND_ARRAY] = "ARRAY",
[BTF_KIND_STRUCT] = "STRUCT",
Reported by FlawFinder.
Line: 366
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int status; /* non-zero for error */
const struct btf_type *type;
const struct btf_member *member;
char name[BTF_SHOW_NAME_SIZE]; /* space for member name/type */
} state;
struct {
u32 size;
void *head;
void *data;
Reported by FlawFinder.
Line: 1462
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
btf->nr_types++;
}
} else {
memcpy(new_types, btf->types,
sizeof(*btf->types) * btf->nr_types);
}
kvfree(btf->types);
btf->types = new_types;
Reported by FlawFinder.
Line: 2137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nr_copy_bits = nr_bits + bits_offset;
nr_copy_bytes = BITS_ROUNDUP_BYTES(nr_copy_bits);
memcpy(print_num, data, nr_copy_bytes);
#ifdef __BIG_ENDIAN_BITFIELD
left_shift_bits = bits_offset;
#else
left_shift_bits = BITS_PER_U128 - nr_copy_bits;
Reported by FlawFinder.
Line: 4227
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
hdr_copy = min_t(u32, hdr_len, sizeof(btf->hdr));
memcpy(&btf->hdr, btf->data, hdr_copy);
hdr = &btf->hdr;
btf_verifier_log_hdr(env, btf_data_size);
Reported by FlawFinder.
Line: 4597
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -ENOMEM;
goto errout;
}
memcpy(btf->data, data, data_size);
btf->data_size = data_size;
err = btf_parse_hdr(env);
if (err)
goto errout;
Reported by FlawFinder.
Line: 5974
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
const struct btf *btf = bin_attr->private;
memcpy(buf, btf->data + off, len);
return len;
}
static int btf_module_notify(struct notifier_block *nb, unsigned long op,
void *module)
Reported by FlawFinder.
Line: 812
Column: 45
CWE codes:
126
{
/* BTF_MAX_ITER array suffixes "[]" */
const char *array_suffixes = "[][][][][][][][][][]";
const char *array_suffix = &array_suffixes[strlen(array_suffixes)];
/* BTF_MAX_ITER pointer suffixes "*" */
const char *ptr_suffixes = "**********";
const char *ptr_suffix = &ptr_suffixes[strlen(ptr_suffixes)];
const char *name = NULL, *prefix = "", *parens = "";
const struct btf_member *m = show->state.member;
Reported by FlawFinder.
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
17 issues
Line: 3168
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ath_dbg(common, EEPROM,
"Restore at %d: spot=%d offset=%d length=%d\n",
it, spot, offset, length);
memcpy(&mptr[spot], &block[it+2], length);
spot += length;
} else if (length > 0) {
ath_dbg(common, EEPROM,
"Bad restore at %d: spot=%d offset=%d length=%d\n",
it, spot, offset, length);
Reported by FlawFinder.
Line: 3198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mdata_size, length);
return -1;
}
memcpy(mptr, word + COMP_HDR_LEN, length);
ath_dbg(common, EEPROM,
"restored eeprom %d: uncompressed, length %d\n",
it, length);
break;
case _CompressBlock:
Reported by FlawFinder.
Line: 3212
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reference);
return -1;
}
memcpy(mptr, eep, mdata_size);
}
ath_dbg(common, EEPROM,
"restore eeprom %d: block, reference %d, length %d\n",
it, reference, length);
ar9300_uncompress_block(ah, mptr, mdata_size,
Reported by FlawFinder.
Line: 3299
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!word)
return -ENOMEM;
memcpy(mptr, &ar9300_default, mdata_size);
read = ar9300_read_eeprom;
if (AR_SREV_9485(ah))
cptr = AR9300_BASE_ADDR_4K;
else if (AR_SREV_9330(ah))
Reported by FlawFinder.
Line: 5485
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ALL_TARGET_HT20_0_8_16;
if (!ah->paprd_table_write_done) {
memcpy(target_power_val_t2_eep, targetPowerValT2,
sizeof(targetPowerValT2));
for (i = 0; i < 24; i++) {
pwr_idx = mcsidx_to_tgtpwridx(i, min_pwridx);
if (ah->paprd_ratemask & (1 << i)) {
if (targetPowerValT2[pwr_idx] &&
Reported by FlawFinder.
Line: 5498
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
}
memcpy(target_power_val_t2_eep, targetPowerValT2,
sizeof(targetPowerValT2));
}
ar9003_hw_set_power_per_rate_table(ah, chan,
targetPowerValT2, cfgCtl,
Reported by FlawFinder.
Line: 5507
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
twiceAntennaReduction,
powerLimit);
memcpy(targetPowerValT2_tpc, targetPowerValT2,
sizeof(targetPowerValT2));
if (ar9003_is_paprd_enabled(ah)) {
for (i = 0; i < ar9300RateSize; i++) {
if ((ah->paprd_ratemask & (1 << i)) &&
Reported by FlawFinder.
Line: 3236
Column: 74
CWE codes:
120
20
return !(*word == 0 || *word == ~0);
}
static bool ar9300_check_eeprom_header(struct ath_hw *ah, eeprom_read_op read,
int base_addr)
{
u8 header[4];
if (!read(ah, base_addr, header, 4))
Reported by FlawFinder.
Line: 3280
Column: 17
CWE codes:
120
20
u16 checksum, mchecksum;
struct ath_common *common = ath9k_hw_common(ah);
struct ar9300_eeprom *eep;
eeprom_read_op read;
if (ath9k_hw_use_flash(ah)) {
u8 txrx;
if (ar9300_eeprom_restore_flash(ah, mptr, mdata_size))
Reported by FlawFinder.
arch/powerpc/kernel/rtas_flash.c
17 issues
Line: 262
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
msg = "ready: firmware image ready for flash on reboot\n";
break;
default:
return sprintf(buf, "error: unexpected status value %d\n",
status);
}
len = strlen(msg);
memcpy(buf, msg, len + 1);
Reported by FlawFinder.
Line: 267
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
len = strlen(msg);
memcpy(buf, msg, len + 1);
return len;
}
/* Reading the proc file will show status (not the firmware contents) */
static ssize_t rtas_flash_read_msg(struct file *file, char __user *buf,
Reported by FlawFinder.
Line: 276
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct rtas_update_flash_t *const uf = &rtas_update_flash_data;
char msg[RTAS_MSG_MAXLEN];
size_t len;
int status;
mutex_lock(&rtas_update_flash_mutex);
status = uf->status;
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct rtas_update_flash_t *const uf = &rtas_update_flash_data;
char msg[RTAS_MSG_MAXLEN];
int status;
mutex_lock(&rtas_update_flash_mutex);
status = uf->status;
mutex_unlock(&rtas_update_flash_mutex);
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_unlock(&rtas_update_flash_mutex);
/* Read as number */
sprintf(msg, "%d\n", status);
return simple_read_from_buffer(buf, count, ppos, msg, strlen(msg));
}
/* We could be much more efficient here. But to keep this function
* simple we allocate a page to the block list no matter how small the
Reported by FlawFinder.
Line: 390
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct rtas_manage_flash_t *const args_buf = &rtas_manage_flash_data;
char msg[RTAS_MSG_MAXLEN];
int msglen, status;
mutex_lock(&rtas_manage_flash_mutex);
status = args_buf->status;
mutex_unlock(&rtas_manage_flash_mutex);
Reported by FlawFinder.
Line: 397
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
status = args_buf->status;
mutex_unlock(&rtas_manage_flash_mutex);
msglen = sprintf(msg, "%d\n", status);
return simple_read_from_buffer(buf, count, ppos, msg, msglen);
}
static ssize_t manage_flash_write(struct file *file, const char __user *buf,
size_t count, loff_t *off)
Reported by FlawFinder.
Line: 407
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rtas_manage_flash_t *const args_buf = &rtas_manage_flash_data;
static const char reject_str[] = "0";
static const char commit_str[] = "1";
char stkbuf[10];
int op, rc;
mutex_lock(&rtas_manage_flash_mutex);
if ((args_buf->status == MANAGE_AUTH) || (count == 0))
Reported by FlawFinder.
Line: 454
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = 0;
do {
spin_lock(&rtas_data_buf_lock);
memcpy(rtas_data_buf, args_buf->buf, VALIDATE_BUF_SIZE);
rc = rtas_call(token, 2, 2, &update_results,
(u32) __pa(rtas_data_buf), args_buf->buf_size);
memcpy(args_buf->buf, rtas_data_buf, VALIDATE_BUF_SIZE);
spin_unlock(&rtas_data_buf_lock);
} while (rtas_busy_delay(rc));
Reported by FlawFinder.
Line: 457
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(rtas_data_buf, args_buf->buf, VALIDATE_BUF_SIZE);
rc = rtas_call(token, 2, 2, &update_results,
(u32) __pa(rtas_data_buf), args_buf->buf_size);
memcpy(args_buf->buf, rtas_data_buf, VALIDATE_BUF_SIZE);
spin_unlock(&rtas_data_buf_lock);
} while (rtas_busy_delay(rc));
args_buf->status = rc;
args_buf->update_results = update_results;
Reported by FlawFinder.