The following issues were found
drivers/remoteproc/mtk_scp_ipi.c
2 issues
Line: 92
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = (void __iomem *)ALIGN_DOWN((unsigned long)dst, 4);
i = 4 - (dst - ptr);
val = readl_relaxed(ptr);
memcpy((u8 *)&val + (4 - i), src, i);
writel_relaxed(val, ptr);
}
__iowrite32_copy(dst + i, src + i, (len - i) / 4);
remain = (len - i) % 4;
Reported by FlawFinder.
Line: 101
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (remain > 0) {
val = readl_relaxed(dst + len - remain);
memcpy(&val, src + len - remain, remain);
writel_relaxed(val, dst + len - remain);
}
}
EXPORT_SYMBOL_GPL(scp_memcpy_aligned);
Reported by FlawFinder.
drivers/remoteproc/qcom_wcnss.c
2 issues
Line: 62
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t pmu_offset;
size_t spare_offset;
const char *pd_names[WCNSS_MAX_PDS];
const struct wcnss_vreg_info *vregs;
size_t num_vregs, num_pd_vregs;
};
struct qcom_wcnss {
Reported by FlawFinder.
Line: 400
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static int wcnss_init_pds(struct qcom_wcnss *wcnss,
const char * const pd_names[WCNSS_MAX_PDS])
{
int i, ret;
for (i = 0; i < WCNSS_MAX_PDS; i++) {
if (!pd_names[i])
Reported by FlawFinder.
drivers/remoteproc/remoteproc_virtio.c
2 issues
Line: 266
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(buf, cfg + offset, len);
}
static void rproc_virtio_set(struct virtio_device *vdev, unsigned int offset,
const void *buf, unsigned int len)
{
Reported by FlawFinder.
Line: 284
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(cfg + offset, buf, len);
}
static const struct virtio_config_ops rproc_virtio_config_ops = {
.get_features = rproc_virtio_get_features,
.finalize_features = rproc_virtio_finalize_features,
Reported by FlawFinder.
drivers/rpmsg/qcom_glink_rpm.c
2 issues
Line: 157
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t tlen = hlen + dlen;
size_t aligned_dlen;
unsigned int head;
char padding[8] = {0};
size_t pad;
/* Header length comes from glink native and is always 4 byte aligned */
if (WARN(hlen % 4, "Glink Header length must be 4 bytes aligned\n"))
return;
Reported by FlawFinder.
Line: 170
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
aligned_dlen = ALIGN_DOWN(dlen, 4);
if (aligned_dlen != dlen)
memcpy(padding, data + aligned_dlen, dlen - aligned_dlen);
head = readl(pipe->head);
head = glink_rpm_tx_write_one(pipe, head, hdr, hlen);
head = glink_rpm_tx_write_one(pipe, head, data, aligned_dlen);
Reported by FlawFinder.
drivers/rpmsg/qcom_glink_smem.c
2 issues
Line: 145
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = min_t(size_t, count, pipe->native.length - head);
if (len)
memcpy(pipe->fifo + head, data, len);
if (len != count)
memcpy(pipe->fifo, data + len, count - len);
head += count;
Reported by FlawFinder.
Line: 148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pipe->fifo + head, data, len);
if (len != count)
memcpy(pipe->fifo, data + len, count - len);
head += count;
if (head >= pipe->native.length)
head -= pipe->native.length;
Reported by FlawFinder.
drivers/rpmsg/qcom_glink_ssr.c
2 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 command;
__le32 seq_num;
__le32 name_len;
char name[32];
};
/**
* struct cleanup_done_msg - The data structure for an SSR cleanup_done message
* @version: The G-Link SSR protocol version
Reported by FlawFinder.
Line: 113
Column: 29
CWE codes:
126
memset(&msg, 0, sizeof(msg));
msg.command = cpu_to_le32(GLINK_SSR_DO_CLEANUP);
msg.seq_num = cpu_to_le32(ssr->seq_num);
msg.name_len = cpu_to_le32(strlen(ssr_name));
strlcpy(msg.name, ssr_name, sizeof(msg.name));
ret = rpmsg_send(ssr->ept, &msg, sizeof(msg));
if (ret < 0)
dev_err(ssr->dev, "failed to send cleanup message\n");
Reported by FlawFinder.
drivers/rpmsg/rpmsg_ns.c
2 issues
Line: 23
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*/
int rpmsg_ns_register_device(struct rpmsg_device *rpdev)
{
strcpy(rpdev->id.name, "rpmsg_ns");
rpdev->driver_override = "rpmsg_ns";
rpdev->src = RPMSG_NS_ADDR;
rpdev->dst = RPMSG_NS_ADDR;
return rpmsg_register_device(rpdev);
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
120
/* don't trust the remote processor for null terminating the name */
msg->name[RPMSG_NAME_SIZE - 1] = '\0';
strncpy(chinfo.name, msg->name, sizeof(chinfo.name));
chinfo.src = RPMSG_ADDR_ANY;
chinfo.dst = rpmsg32_to_cpu(rpdev, msg->addr);
dev_info(dev, "%sing channel %s addr 0x%x\n",
rpmsg32_to_cpu(rpdev, msg->flags) & RPMSG_NS_DESTROY ?
Reported by FlawFinder.
drivers/rtc/rtc-ac100.c
2 issues
Line: 84
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define AC100_RTC_32K_RATE 32768
#define AC100_CLKOUT_NUM 3
static const char * const ac100_clkout_names[AC100_CLKOUT_NUM] = {
"ac100-cko1-rtc",
"ac100-cko2-rtc",
"ac100-cko3-rtc",
};
Reported by FlawFinder.
Line: 309
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ac100_rtc_register_clks(struct ac100_rtc_dev *chip)
{
struct device_node *np = chip->dev->of_node;
const char *parents[2] = {AC100_RTC_32K_NAME};
int i, ret;
chip->clk_data = devm_kzalloc(chip->dev,
struct_size(chip->clk_data, hws,
AC100_CLKOUT_NUM),
Reported by FlawFinder.
drivers/rtc/rtc-bq32k.c
2 issues
Line: 81
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uint8_t buffer[MAX_LEN + 1];
buffer[0] = off;
memcpy(&buffer[1], data, len);
if (i2c_master_send(client, buffer, len + 1) == len + 1)
return 0;
return -EIO;
Reported by FlawFinder.
Line: 203
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (error)
return error;
return sprintf(buf, "%d\n", (reg & BQ32K_TCFE) ? 1 : 0);
}
static ssize_t bq32k_sysfs_store_tricklecharge_bypass(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/rtc/rtc-ds1347.c
2 issues
Line: 54
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct regmap *map = dev_get_drvdata(dev);
unsigned int status, century, secs;
unsigned char buf[8];
int err;
err = regmap_read(map, DS1347_STATUS_REG, &status);
if (err)
return err;
Reported by FlawFinder.
Line: 93
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct regmap *map = dev_get_drvdata(dev);
unsigned int century;
unsigned char buf[8];
int err;
err = regmap_update_bits(map, DS1347_STATUS_REG,
DS1347_NEOSC_BIT, DS1347_NEOSC_BIT);
if (err)
Reported by FlawFinder.