The following issues were found
drivers/bluetooth/virtio_bt.c
2 issues
Line: 91
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct scatterlist sg[1];
int err;
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
sg_init_one(sg, skb->data, skb->len);
err = virtqueue_add_outbuf(vbt->vqs[VIRTBT_VQ_TX], sg, 1, skb,
GFP_KERNEL);
if (err) {
Reported by FlawFinder.
Line: 250
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[VIRTBT_VQ_TX] = virtbt_tx_done,
[VIRTBT_VQ_RX] = virtbt_rx_done,
};
const char *names[VIRTBT_NUM_VQS] = {
[VIRTBT_VQ_TX] = "tx",
[VIRTBT_VQ_RX] = "rx",
};
struct virtio_bluetooth *vbt;
struct hci_dev *hdev;
Reported by FlawFinder.
drivers/acpi/acpi_memhotplug.c
2 issues
Line: 285
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
INIT_LIST_HEAD(&mem_device->res_list);
mem_device->device = device;
sprintf(acpi_device_name(device), "%s", ACPI_MEMORY_DEVICE_NAME);
sprintf(acpi_device_class(device), "%s", ACPI_MEMORY_DEVICE_CLASS);
device->driver_data = mem_device;
/* Get the range from the _CRS */
result = acpi_memory_get_device_resources(mem_device);
Reported by FlawFinder.
Line: 286
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
INIT_LIST_HEAD(&mem_device->res_list);
mem_device->device = device;
sprintf(acpi_device_name(device), "%s", ACPI_MEMORY_DEVICE_NAME);
sprintf(acpi_device_class(device), "%s", ACPI_MEMORY_DEVICE_CLASS);
device->driver_data = mem_device;
/* Get the range from the _CRS */
result = acpi_memory_get_device_resources(mem_device);
if (result) {
Reported by FlawFinder.
drivers/char/ipmi/ipmi_powernv.c
2 issues
Line: 87
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
opal_msg->netfn = msg->data[0];
opal_msg->cmd = msg->data[1];
if (msg->data_size > 2)
memcpy(opal_msg->data, msg->data + 2, msg->data_size - 2);
/* data_size already includes the netfn and cmd bytes */
size = sizeof(*opal_msg) + msg->data_size - 2;
pr_devel("%s: opal_ipmi_send(0x%llx, %p, %ld)\n", __func__,
Reported by FlawFinder.
Line: 169
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->rsp[0] = opal_msg->netfn;
msg->rsp[1] = opal_msg->cmd;
if (size > sizeof(*opal_msg))
memcpy(&msg->rsp[2], opal_msg->data, size - sizeof(*opal_msg));
msg->rsp_size = 2 + size - sizeof(*opal_msg);
smi->cur_msg = NULL;
spin_unlock_irqrestore(&smi->msg_lock, flags);
ipmi_smi_msg_received(smi->intf, msg);
Reported by FlawFinder.
drivers/acpi/acpi_lpit.c
2 issues
Line: 67
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%llu\n", counter);
}
static DEVICE_ATTR_RO(low_power_idle_system_residency_us);
static ssize_t low_power_idle_cpu_residency_us_show(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 82
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%llu\n", counter);
}
static DEVICE_ATTR_RO(low_power_idle_cpu_residency_us);
int lpit_read_residency_count_address(u64 *address)
{
Reported by FlawFinder.
drivers/crypto/hisilicon/sec/sec_algs.c
2 issues
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sec_alg_tfm_ctx *ctx = crypto_tfm_ctx(tfm);
ctx->cipher_alg = alg;
memcpy(ctx->key, key, keylen);
sec_alg_skcipher_init_template(ctx, &ctx->req_template,
ctx->cipher_alg);
}
static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ERR_PTR(-ENOMEM);
el->el_length = el_size;
req = &el->req;
memcpy(req, template, sizeof(*req));
req->w0 &= ~SEC_BD_W0_CIPHER_M;
if (encrypt)
req->w0 |= SEC_CIPHER_ENCRYPT << SEC_BD_W0_CIPHER_S;
else
Reported by FlawFinder.
drivers/fpga/machxo2-spi.c
2 issues
Line: 267
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
get_status(spi, &status);
dump_status_reg(&status);
memcpy(payload, &progincr, sizeof(progincr));
for (i = 0; i < count; i += MACHXO2_PAGE_SIZE) {
memcpy(&payload[sizeof(progincr)], &buf[i], MACHXO2_PAGE_SIZE);
memset(&tx, 0, sizeof(tx));
spi_message_init(&msg);
tx.tx_buf = payload;
Reported by FlawFinder.
Line: 269
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dump_status_reg(&status);
memcpy(payload, &progincr, sizeof(progincr));
for (i = 0; i < count; i += MACHXO2_PAGE_SIZE) {
memcpy(&payload[sizeof(progincr)], &buf[i], MACHXO2_PAGE_SIZE);
memset(&tx, 0, sizeof(tx));
spi_message_init(&msg);
tx.tx_buf = payload;
tx.len = MACHXO2_BUF_SIZE;
tx.delay.value = MACHXO2_HIGH_DELAY_USEC;
Reported by FlawFinder.
drivers/char/ipmi/ipmi_si_hardcode.c
2 issues
Line: 18
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define SI_MAX_PARMS 4
#define MAX_SI_TYPE_STR 30
static char si_type_str[MAX_SI_TYPE_STR] __initdata;
static unsigned long addrs[SI_MAX_PARMS];
static unsigned int num_addrs;
static unsigned int ports[SI_MAX_PARMS];
static unsigned int num_ports;
static int irqs[SI_MAX_PARMS] __initdata;
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned int i;
char *str;
char *si_type[SI_MAX_PARMS];
memset(si_type, 0, sizeof(si_type));
/* Parse out the si_type string into its components. */
str = si_type_str;
Reported by FlawFinder.
drivers/crypto/hisilicon/sec2/sec_main.c
2 issues
Line: 563
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *pos)
{
struct sec_debug_file *file = filp->private_data;
char tbuf[SEC_DBGFS_VAL_MAX_LEN];
u32 val;
int ret;
spin_lock_irq(&file->lock);
Reported by FlawFinder.
Line: 588
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *pos)
{
struct sec_debug_file *file = filp->private_data;
char tbuf[SEC_DBGFS_VAL_MAX_LEN];
unsigned long val;
int len, ret;
if (*pos != 0)
return 0;
Reported by FlawFinder.
drivers/fsi/fsi-master-gpio.c
2 issues
Line: 293
CWE codes:
476
msg_push_bits(cmd, addr, addr_bits);
msg_push_bits(cmd, ds, 1);
for (i = 0; write && i < size; i++)
msg_push_bits(cmd, ((uint8_t *)data)[i], 8);
msg_push_crc(cmd);
}
static void build_dpoll_command(struct fsi_gpio_msg *cmd, uint8_t slave_id)
Reported by Cppcheck.
Line: 293
CWE codes:
476
msg_push_bits(cmd, addr, addr_bits);
msg_push_bits(cmd, ds, 1);
for (i = 0; write && i < size; i++)
msg_push_bits(cmd, ((uint8_t *)data)[i], 8);
msg_push_crc(cmd);
}
static void build_dpoll_command(struct fsi_gpio_msg *cmd, uint8_t slave_id)
Reported by Cppcheck.
drivers/acpi/acpi_fpdt.c
2 issues
Line: 83
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t name##_show(struct kobject *kobj, \
struct kobj_attribute *attr, char *buf) \
{ \
return sprintf(buf, "%llu\n", record_##phase->name); \
} \
static struct kobj_attribute name##_attr = \
__ATTR(name##_ns, 0444, name##_show, NULL)
FPDT_ATTR(resume, resume_prev);
Reported by FlawFinder.
Line: 101
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t resume_count_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%u\n", record_resume->resume_count);
}
static struct kobj_attribute resume_count_attr =
__ATTR_RO(resume_count);
Reported by FlawFinder.