The following issues were found
drivers/iio/multiplexer/iio-mux.c
2 issues
Line: 293
Column: 27
CWE codes:
120
20
if (!pchan->ext_info[i].write)
continue;
if (!pchan->ext_info[i].read)
continue;
ret = iio_read_channel_ext_info(mux->parent,
mux->ext_info[i].name,
page);
Reported by FlawFinder.
Line: 408
Column: 37
CWE codes:
120
20
return -ENOMEM;
for (i = 0; mux->ext_info[i].name; ++i) {
if (parent->channel->ext_info[i].read)
mux->ext_info[i].read = mux_read_ext_info;
if (parent->channel->ext_info[i].write)
mux->ext_info[i].write = mux_write_ext_info;
mux->ext_info[i].private = i;
}
Reported by FlawFinder.
drivers/iio/proximity/as3935.c
2 issues
Line: 125
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
val = (val & AS3935_AFE_MASK) >> 1;
return sprintf(buf, "%d\n", val);
}
static ssize_t as3935_sensor_sensitivity_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t len)
Reported by FlawFinder.
Line: 156
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int ret;
mutex_lock(&st->lock);
ret = sprintf(buf, "%d\n", !time_after(jiffies, st->noise_tripped + HZ));
mutex_unlock(&st->lock);
return ret;
}
Reported by FlawFinder.
drivers/iio/temperature/max31856.c
2 issues
Line: 323
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
fault = reg_val & faultbit;
return sprintf(buf, "%d\n", fault);
}
static ssize_t show_fault_ovuv(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 347
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct max31856_data *data = iio_priv(indio_dev);
return sprintf(buf, "%d\n", data->filter_50hz ? 50 : 60);
}
static ssize_t set_filter(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
drivers/iio/temperature/tsys01.c
2 issues
Line: 131
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, ret;
struct tsys01_dev *dev_data = iio_priv(indio_dev);
char buf[7 * TSYS01_PROM_WORDS_NB + 1];
char *ptr = buf;
for (i = 0; i < TSYS01_PROM_WORDS_NB; i++) {
ret = dev_data->read_prom_word(dev_data->client,
TSYS01_PROM_READ + (i << 1),
Reported by FlawFinder.
Line: 141
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
ret = sprintf(ptr, "0x%04x ", dev_data->prom[i]);
ptr += ret;
}
if (!tsys01_crc_valid(dev_data->prom)) {
dev_err(&indio_dev->dev, "prom crc check error\n");
Reported by FlawFinder.
drivers/infiniband/core/packer.c
2 issues
Line: 112
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (desc[i].struct_size_bytes)
memcpy(buf + desc[i].offset_words * 4 +
desc[i].offset_bits / 8,
structure + desc[i].struct_offset_bytes,
desc[i].size_bits / 8);
else
memset(buf + desc[i].offset_words * 4 +
Reported by FlawFinder.
Line: 194
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
desc[i].field_name, desc[i].size_bits);
}
memcpy(structure + desc[i].struct_offset_bytes,
buf + desc[i].offset_words * 4 +
desc[i].offset_bits / 8,
desc[i].size_bits / 8);
}
}
Reported by FlawFinder.
drivers/infiniband/core/rdma_core.h
2 issues
Line: 63
Column: 68
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* uverbs_finalize_objects are called.
*/
struct ib_uobject *
uverbs_get_uobject_from_file(u16 object_id, enum uverbs_obj_access access,
s64 id, struct uverbs_attr_bundle *attrs);
void uverbs_finalize_object(struct ib_uobject *uobj,
enum uverbs_obj_access access, bool hw_obj_valid,
bool commit, struct uverbs_attr_bundle *attrs);
Reported by FlawFinder.
Line: 67
Column: 31
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
s64 id, struct uverbs_attr_bundle *attrs);
void uverbs_finalize_object(struct ib_uobject *uobj,
enum uverbs_obj_access access, bool hw_obj_valid,
bool commit, struct uverbs_attr_bundle *attrs);
int uverbs_output_written(const struct uverbs_attr_bundle *bundle, size_t idx);
void setup_ufile_idr_uobject(struct ib_uverbs_file *ufile);
Reported by FlawFinder.
drivers/infiniband/core/restrack.c
2 issues
Line: 42
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *type2str(enum rdma_restrack_type type)
{
static const char * const names[RDMA_RESTRACK_MAX] = {
[RDMA_RESTRACK_PD] = "PD",
[RDMA_RESTRACK_CQ] = "CQ",
[RDMA_RESTRACK_QP] = "QP",
[RDMA_RESTRACK_CM_ID] = "CM_ID",
[RDMA_RESTRACK_MR] = "MR",
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct rdma_restrack_root *rt = dev->res;
struct rdma_restrack_entry *e;
char buf[TASK_COMM_LEN];
bool found = false;
const char *owner;
int i;
for (i = 0 ; i < RDMA_RESTRACK_MAX; i++) {
Reported by FlawFinder.
drivers/infiniband/core/ud_header.c
2 issues
Line: 458
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len += IB_DETH_BYTES;
if (header->immediate_present) {
memcpy(buf + len, &header->immediate_data, sizeof header->immediate_data);
len += sizeof header->immediate_data;
}
return len;
}
Reported by FlawFinder.
Line: 543
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf += IB_DETH_BYTES;
if (header->immediate_present)
memcpy(&header->immediate_data, buf, sizeof header->immediate_data);
return 0;
}
EXPORT_SYMBOL(ib_ud_header_unpack);
Reported by FlawFinder.
drivers/infiniband/core/umem_dmabuf.c
2 issues
Line: 109
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct ib_umem_dmabuf *ib_umem_dmabuf_get(struct ib_device *device,
unsigned long offset, size_t size,
int fd, int access,
const struct dma_buf_attach_ops *ops)
{
struct dma_buf *dmabuf;
struct ib_umem_dmabuf *umem_dmabuf;
struct ib_umem *umem;
Reported by FlawFinder.
Line: 141
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
umem->ibdev = device;
umem->length = size;
umem->address = offset;
umem->writable = ib_access_writable(access);
umem->is_dmabuf = 1;
if (!ib_umem_num_pages(umem))
goto out_free_umem;
Reported by FlawFinder.
drivers/infiniband/core/uverbs_uapi.c
2 issues
Line: 147
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* uobject being NEW'd or DESTROY'd
*/
if (attr->attr.type == UVERBS_ATTR_TYPE_IDRS_ARRAY) {
u8 access = attr->attr.u2.objs_arr.access;
if (WARN_ON(access == UVERBS_ACCESS_NEW ||
access == UVERBS_ACCESS_DESTROY))
return -EINVAL;
}
Reported by FlawFinder.
Line: 383
Column: 32
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (type == UVERBS_ATTR_TYPE_IDR ||
type == UVERBS_ATTR_TYPE_FD) {
u8 access = elm->spec.u.obj.access;
/*
* Verbs specs may only have one NEW/DESTROY, we don't
* have the infrastructure to abort multiple NEW's or
* cope with multiple DESTROY failure.
Reported by FlawFinder.