============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (*(cmd)) used as an index in this context. Expression bounds: [No bounds check]. Tracking "*(cmd)": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/block/scsi_ioctl.c, line 568] SINK=[/p0/working/Downloads/linux-2.6.18/block/scsi_ioctl.c, line 193] ORIGINATOR=[cqsat] 565: struct sg_io_hdr hdr; 566: 567: err = -EFAULT; 568: if (copy_from_user(&hdr, arg, sizeof(hdr))) ^^^---------^^^----------^^^ START 569: break; 570: err = sg_io(file, q, bd_disk, &hdr); 571: if (err == -EFAULT) 572: break; 190: safe_for_write(GPCMD_LOAD_UNLOAD), 191: safe_for_write(GPCMD_SET_STREAMING), 192: }; 193: unsigned char type = cmd_type[cmd[0]]; ^^^---------^^^----------^^^ ERROR 194: int has_write_perm = 0; 195: 196: /* Anybody who can open the device can do a read-safe command */ 197: if (type & CMD_READ_SAFE) ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression IndexCard used as an index in this context. Expression bounds: [Upper bound unchecked]. Tracking "IndexCard": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/applicom.c, line 391] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/applicom.c, line 440] ORIGINATOR=[cqsat] 388: 389: NumCard = st_loc.num_card; /* board number to send */ 390: TicCard = st_loc.tic_des_from_pc; /* tic number to send */ 391: IndexCard = NumCard - 1; ^^^---------^^^----------^^^ START 392: 393: if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO) 394: return -EINVAL; 395: ...[skipping 42 line(s)]... 437: 438: /* Check whether the card is ready for us */ 439: while (readb(apbs[IndexCard].RamIO + DATA_FROM_PC_READY) != 0) { 440: Dummy = readb(apbs[IndexCard].RamIO + VERS); ^^^---------^^^----------^^^ ERROR 441: /* It's busy. Sleep. */ 442: 443: spin_unlock_irqrestore(&apbs[IndexCard].mutex, flags); 444: schedule(); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression IndexCard used as an index in this context. Expression bounds: [Upper bound unchecked]. Tracking "IndexCard": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/applicom.c, line 719] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/applicom.c, line 811] ORIGINATOR=[cqsat] 716: return -EFAULT; 717: } 718: 719: IndexCard = adgl->num_card-1; ^^^---------^^^----------^^^ START 720: 721: if(cmd != 0 && cmd != 6 && 722: ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) { 723: static int warncount = 10; ...[skipping 85 line(s)]... 808: boardname[serial] = readb(apbs[i].RamIO + TYPE_CARD + serial); 809: boardname[serial] = 0; 810: 811: printk(KERN_INFO "Prom version board %d ....... V%d.%d %s", ^^^---------^^^----------^^^ ERROR 812: i+1, 813: (int)(readb(apbs[IndexCard].RamIO + VERS) >> 4), 814: (int)(readb(apbs[IndexCard].RamIO + VERS) & 0xF), 815: boardname); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression ((*(dev_priv))).sarea_priv. Expression bounds: [Upper bound unchecked]. Tracking "(dev_priv)->sarea_priv": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/mga_dma.c, line 871] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/mga_dma.c, line 925] ORIGINATOR=[cqsat] 868: drm_core_ioremap(dev->agp_buffer_map, dev); 869: } 870: 871: dev_priv->sarea_priv = ^^^---------^^^----------^^^ START 872: (drm_mga_sarea_t *) ((u8 *) dev_priv->sarea->handle + 873: init->sarea_priv_offset); 874: 875: if (!dev_priv->warp->handle || ...[skipping 47 line(s)]... 922: dev_priv->prim.status[0] = dev_priv->primary->offset; 923: dev_priv->prim.status[1] = 0; 924: 925: dev_priv->sarea_priv->last_wrap = 0; ^^^---------^^^----------^^^ ERROR 926: dev_priv->sarea_priv->last_frame.head = 0; 927: dev_priv->sarea_priv->last_frame.wrap = 0; 928: 929: if (mga_freelist_init(dev, dev_priv) < 0) { ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression data. Expression bounds: [Upper bound unchecked]. Tracking "data": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 1523] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 1526] ORIGINATOR=[cqsat] 1520: 1521: dwords = (prim->finish - prim->start + 3) / sizeof(u32); 1522: 1523: data = (u32 *) ((char *)dev->agp_buffer_map->handle + ^^^---------^^^----------^^^ START 1524: elt_buf->offset + prim->start); 1525: 1525: 1526: data[0] = CP_PACKET3(RADEON_3D_RNDR_GEN_INDX_PRIM, dwords - 2); ^^^---------^^^----------^^^ ERROR 1527: data[1] = offset; 1528: data[2] = prim->numverts; 1529: data[3] = prim->vc_format; 1530: data[4] = (prim->prim | ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (tex_width*4U) used as length parameter in this context. Expression bounds: [Lower bound unchecked]. Tracking "tex_width": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 1594] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 1693] ORIGINATOR=[cqsat] 1591: case RADEON_TXFORMAT_ARGB8888: 1592: case RADEON_TXFORMAT_RGBA8888: 1593: format = RADEON_COLOR_FORMAT_ARGB8888; 1594: tex_width = tex->width * 4; ^^^---------^^^----------^^^ START 1595: blit_width = image->width * 4; 1596: break; 1597: case RADEON_TXFORMAT_AI88: 1598: case RADEON_TXFORMAT_ARGB1555: ...[skipping 92 line(s)]... 1690: from user space. */ 1691: if (tex->height == 1) { 1692: if (tex_width >= 64 || tex_width <= 16) { 1693: RADEON_COPY_MT(buffer, data, ^^^---------^^^----------^^^ ERROR 1694: (int)(tex_width * sizeof(u32))); 1695: } else if (tex_width == 32) { 1696: RADEON_COPY_MT(buffer, data, 16); 1697: RADEON_COPY_MT(buffer + 8, ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (dwords*4U) used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "dwords": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 1672] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 1701] ORIGINATOR=[cqsat] 1669: */ 1670: buffer = 1671: (u32 *) ((char *)dev->agp_buffer_map->handle + buf->offset); 1672: dwords = size / 4; ^^^---------^^^----------^^^ START 1673: 1674: #define RADEON_COPY_MT(_buf, _data, _width) \ 1675: do { \ 1676: if (DRM_COPY_FROM_USER(_buf, _data, (_width))) {\ ...[skipping 22 line(s)]... 1698: data + 16, 16); 1699: } 1700: } else if (tex_width >= 64 || tex_width == 16) { 1701: RADEON_COPY_MT(buffer, data, ^^^---------^^^----------^^^ ERROR 1702: (int)(dwords * sizeof(u32))); 1703: } else if (tex_width < 16) { 1704: for (i = 0; i < tex->height; i++) { 1705: RADEON_COPY_MT(buffer, data, tex_width); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (cmdbuf).buf. Expression bounds: [No bounds check]. Tracking "(cmdbuf).buf": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 2780] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/radeon_state.c, line 2823] ORIGINATOR=[cqsat] 2777: 2778: DRM_GET_PRIV_WITH_RETURN(filp_priv, filp); 2779: 2780: DRM_COPY_FROM_USER_IOCTL(cmdbuf, ^^^---------^^^----------^^^ START 2781: (drm_radeon_cmd_buffer_t __user *) data, 2782: sizeof(cmdbuf)); 2783: 2784: RING_SPACE_TEST_WITH_RETURN(dev_priv); ...[skipping 36 line(s)]... 2820: /* microcode_version != r300 */ 2821: while (cmdbuf.bufsz >= sizeof(header)) { 2822: 2823: header.i = *(int *)cmdbuf.buf; ^^^---------^^^----------^^^ ERROR 2824: cmdbuf.buf += sizeof(header); 2825: cmdbuf.bufsz -= sizeof(header); 2826: 2827: switch (header.header.cmd_type) { ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (cmdbuf).cmd_addr. Expression bounds: [No bounds check]. Tracking "(cmdbuf).cmd_addr": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 974] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 1049] ORIGINATOR=[cqsat] 971: 972: LOCK_TEST_WITH_RETURN(dev, filp); 973: 974: DRM_COPY_FROM_USER_IOCTL(cmdbuf, (drm_savage_cmdbuf_t __user *) data, ^^^---------^^^----------^^^ START 975: sizeof(cmdbuf)); 976: 977: if (dma && dma->buflist) { 978: if (cmdbuf.dma_idx > dma->buf_count) { ...[skipping 68 line(s)]... 1046: first_draw_cmd = NULL; 1047: while (i < cmdbuf.size) { 1048: drm_savage_cmd_header_t cmd_header; 1049: cmd_header = *(drm_savage_cmd_header_t *)cmdbuf.cmd_addr; ^^^---------^^^----------^^^ ERROR 1050: cmdbuf.cmd_addr++; 1051: i++; 1052: 1053: /* Group drawing commands with same state to minimize ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (idx+((short unsigned int*)((i*2U)))). Expression bounds: [No bounds check]. Tracking "idx": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 908] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 628] ORIGINATOR=[cqsat] 905: const drm_savage_cmd_header_t *cmdbuf; 906: dev_priv->emit_clip_rect(dev_priv, &boxes[i]); 907: 908: cmdbuf = start; ^^^---------^^^----------^^^ START 909: while (cmdbuf < end) { 910: drm_savage_cmd_header_t cmd_header; 911: cmd_header = *cmdbuf; 912: cmdbuf++; 625: 626: /* check indices */ 627: for (i = 0; i < count; ++i) { 628: if (idx[i] > dmabuf->total / 32) { ^^^---------^^^----------^^^ ERROR 629: DRM_ERROR("idx[%u]=%u out of range (0-%u)\n", 630: i, idx[i], dmabuf->total / 32); 631: return DRM_ERR(EINVAL); 632: } ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression cmdbuf. Expression bounds: [No bounds check]. Tracking "cmdbuf": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 908] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 911] ORIGINATOR=[cqsat] 905: const drm_savage_cmd_header_t *cmdbuf; 906: dev_priv->emit_clip_rect(dev_priv, &boxes[i]); 907: 908: cmdbuf = start; ^^^---------^^^----------^^^ START 909: while (cmdbuf < end) { 910: drm_savage_cmd_header_t cmd_header; 910: drm_savage_cmd_header_t cmd_header; 911: cmd_header = *cmdbuf; ^^^---------^^^----------^^^ ERROR 912: cmdbuf++; 913: switch (cmd_header.cmd.cmd) { 914: case SAVAGE_CMD_DMA_PRIM: 915: ret = savage_dispatch_dma_prim( ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression ((cmdbuf).size*8U) used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "(cmdbuf).size": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 974] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/savage_state.c, line 999] ORIGINATOR=[cqsat] 971: 972: LOCK_TEST_WITH_RETURN(dev, filp); 973: 974: DRM_COPY_FROM_USER_IOCTL(cmdbuf, (drm_savage_cmdbuf_t __user *) data, ^^^---------^^^----------^^^ START 975: sizeof(cmdbuf)); 976: 977: if (dma && dma->buflist) { 978: if (cmdbuf.dma_idx > dma->buf_count) { ...[skipping 18 line(s)]... 996: if (kcmd_addr == NULL) 997: return ENOMEM; 998: 999: if (DRM_COPY_FROM_USER(kcmd_addr, cmdbuf.cmd_addr, ^^^---------^^^----------^^^ ERROR 1000: cmdbuf.size * 8)) 1001: { 1002: drm_free(kcmd_addr, cmdbuf.size * 8, DRM_MEM_DRIVER); 1003: return DRM_ERR(EFAULT); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression hw_addr_ptr. Expression bounds: [Upper bound unchecked]. Tracking "hw_addr_ptr": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/via_dma.c, line 117] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/via_dma.c, line 122] ORIGINATOR=[cqsat] 114: uint32_t cur_addr, hw_addr, next_addr; 115: volatile uint32_t *hw_addr_ptr; 116: uint32_t count; 117: hw_addr_ptr = dev_priv->hw_addr_ptr; ^^^---------^^^----------^^^ START 118: cur_addr = dev_priv->dma_low; 120: count = 1000000; 121: do { 122: hw_addr = *hw_addr_ptr - agp_base; ^^^---------^^^----------^^^ ERROR 123: if (count-- == 0) { 124: DRM_ERROR 125: ("via_cmdbuf_wait timed out hw %x cur_addr %x next_addr %x\n", 126: hw_addr, cur_addr, next_addr); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (((*(dev_priv))).irq_map+((int*)((irq*4U)))). Expression bounds: [Lower bound unchecked]. Tracking "irq": signed, 0 bit(s)] SOURCE=[] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/via_irq.c, line 217] ORIGINATOR=[cqsat] 214: return DRM_ERR(EINVAL); 215: } 216: 217: real_irq = dev_priv->irq_map[irq]; ^^^---------^^^----------^^^ ERROR 218: 219: if (real_irq < 0) { 220: DRM_ERROR("%s Video IRQ %d not available on this hardware.\n", 221: __FUNCTION__, irq); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression cur_irq. Expression bounds: [Lower bound unchecked]. Tracking "(cur_irq).irq_received": signed, 0 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/via_irq.c, line 351] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/via_irq.c, line 355] ORIGINATOR=[cqsat] 348: return DRM_ERR(EINVAL); 349: } 350: 351: cur_irq += irqwait.request.irq; ^^^---------^^^----------^^^ START 352: 353: switch (irqwait.request.type & ~VIA_IRQ_FLAGS_MASK) { 354: case VIA_IRQ_RELATIVE: 355: irqwait.request.sequence += atomic_read(&cur_irq->irq_received); ^^^---------^^^----------^^^ ERROR 356: irqwait.request.type &= ~_DRM_VBLANK_RELATIVE; 357: case VIA_IRQ_ABSOLUTE: 358: break; 359: default: ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (((*(p))).RIOPortp+((struct Port**)(((portStats).port*4U)))). Expression bounds: [Lower bound unchecked]. Tracking "(portStats).port": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/rio/rioctrl.c, line 661] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/rio/rioctrl.c, line 669] ORIGINATOR=[cqsat] 658: 659: case RIO_GET_PORT_STATS: 660: rio_dprintk(RIO_DEBUG_CTRL, "RIO_GET_PORT_STATS\n"); 661: if (copy_from_user(&portStats, argp, sizeof(struct portStats))) { ^^^---------^^^----------^^^ START 662: p->RIOError.Error = COPYIN_FAILED; 663: return -EFAULT; 664: } 665: if (portStats.port >= RIO_PORTS) { ...[skipping 1 line(s)]... 666: p->RIOError.Error = PORT_NUMBER_OUT_OF_RANGE; 667: return -ENXIO; 668: } 669: PortP = (p->RIOPortp[portStats.port]); ^^^---------^^^----------^^^ ERROR 670: portStats.gather = PortP->statsGather; 671: portStats.txchars = PortP->txchars; 672: portStats.rxchars = PortP->rxchars; 673: portStats.opens = PortP->opens; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (((*(p))).RIOPortp+((struct Port**)(((portStats).port*4U)))). Expression bounds: [Lower bound unchecked]. Tracking "(portStats).port": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/rio/rioctrl.c, line 701] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/rio/rioctrl.c, line 709] ORIGINATOR=[cqsat] 698: 699: case RIO_GATHER_PORT_STATS: 700: rio_dprintk(RIO_DEBUG_CTRL, "RIO_GATHER_PORT_STATS\n"); 701: if (copy_from_user(&portStats, argp, sizeof(struct portStats))) { ^^^---------^^^----------^^^ START 702: p->RIOError.Error = COPYIN_FAILED; 703: return -EFAULT; 704: } 705: if (portStats.port >= RIO_PORTS) { ...[skipping 1 line(s)]... 706: p->RIOError.Error = PORT_NUMBER_OUT_OF_RANGE; 707: return -ENXIO; 708: } 709: PortP = (p->RIOPortp[portStats.port]); ^^^---------^^^----------^^^ ERROR 710: rio_spin_lock_irqsave(&PortP->portSem, flags); 711: PortP->statsGather = portStats.gather; 712: rio_spin_unlock_irqrestore(&PortP->portSem, flags); 713: return retval; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression mon used as an index in this context. Expression bounds: [Lower bound unchecked]. Tracking "mon": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/rtc.c, line 547] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/rtc.c, line 561] ORIGINATOR=[cqsat] 544: return -EFAULT; 545: 546: yrs = rtc_tm.tm_year + 1900; 547: mon = rtc_tm.tm_mon + 1; /* tm_mon starts at zero */ ^^^---------^^^----------^^^ START 548: day = rtc_tm.tm_mday; 549: hrs = rtc_tm.tm_hour; 550: min = rtc_tm.tm_min; 551: sec = rtc_tm.tm_sec; ...[skipping 7 line(s)]... 558: if ((mon > 12) || (day == 0)) 559: return -EINVAL; 560: 561: if (day > (days_in_mo[mon] + ((mon == 2) && leap_yr))) ^^^---------^^^----------^^^ ERROR 562: return -EINVAL; 563: 564: if ((hrs >= 24) || (min >= 60) || (sec >= 60)) 565: return -EINVAL; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression i used as an index in this context. Expression bounds: [Upper bound unchecked]. Tracking "i": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/vt_ioctl.c, line 212] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/vt_ioctl.c, line 219] ORIGINATOR=[cqsat] 209: goto reterr; 210: } 211: kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0'; 212: i = kbs->kb_func; ^^^---------^^^----------^^^ START 213: 214: switch (cmd) { 215: case KDGKBSENT: 216: sz = sizeof(kbs->kb_string) - 1; /* sz should have been 216: sz = sizeof(kbs->kb_string) - 1; /* sz should have been 217: a struct member */ 218: up = user_kdgkb->kb_string; 219: p = func_table[i]; ^^^---------^^^----------^^^ ERROR 220: if(p) 221: for ( ; *p && sz; p++, sz--) 222: if (put_user(*p, up++)) { 223: ret = -EFAULT; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (tmp).kb_table used as an index in this context. Expression bounds: [Upper bound unchecked]. Tracking "(tmp).kb_table": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/vt_ioctl.c, line 79] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/vt_ioctl.c, line 87] ORIGINATOR=[cqsat] 76: struct kbentry tmp; 77: ushort *key_map, val, ov; 78: 79: if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry))) ^^^---------^^^----------^^^ START 80: return -EFAULT; 81: 82: if (!capable(CAP_SYS_TTY_CONFIG)) 83: perm = 0; ...[skipping 1 line(s)]... 84: 85: switch (cmd) { 86: case KDGKBENT: 87: key_map = key_maps[s]; ^^^---------^^^----------^^^ ERROR 88: if (key_map) { 89: val = U(key_map[i]); 90: if (kbd->kbdmode != VC_UNICODE && KTYP(val) >= NR_TYPES) 91: val = K_HOLE; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (key_map+((short unsigned int*)(((tmp).kb_index*2U)))). Expression bounds: [Upper bound unchecked]. Tracking "(tmp).kb_index": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/vt_ioctl.c, line 79] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/vt_ioctl.c, line 89] ORIGINATOR=[cqsat] 76: struct kbentry tmp; 77: ushort *key_map, val, ov; 78: 79: if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry))) ^^^---------^^^----------^^^ START 80: return -EFAULT; 81: 82: if (!capable(CAP_SYS_TTY_CONFIG)) 83: perm = 0; ...[skipping 3 line(s)]... 86: case KDGKBENT: 87: key_map = key_maps[s]; 88: if (key_map) { 89: val = U(key_map[i]); ^^^---------^^^----------^^^ ERROR 90: if (kbd->kbdmode != VC_UNICODE && KTYP(val) >= NR_TYPES) 91: val = K_HOLE; 92: } else 93: val = (i ? K_HOLE : K_NOSUCHMAP); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression taskout used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "taskout": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/ide/ide-taskfile.c, line 541] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/ide/ide-taskfile.c, line 551] ORIGINATOR=[cqsat] 538: return -EFAULT; 539: } 540: 541: taskout = (int) req_task->out_size; ^^^---------^^^----------^^^ START 542: taskin = (int) req_task->in_size; 543: 544: if (taskout) { 545: int outtotal = tasksize; ...[skipping 3 line(s)]... 548: err = -ENOMEM; 549: goto abort; 550: } 551: if (copy_from_user(outbuf, buf + outtotal, taskout)) { ^^^---------^^^----------^^^ ERROR 552: err = -EFAULT; 553: goto abort; 554: } 555: } ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (contr-1) used as an index in this context. Expression bounds: [Lower bound unchecked]. Tracking "contr": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/isdn/capi/kcapi.c, line 789] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/isdn/capi/kcapi.c, line 100] ORIGINATOR=[cqsat] 786: ldef.t4config.len = 0; 787: ldef.t4config.data = NULL; 788: } else { 789: if (copy_from_user(&ldef, data, ^^^---------^^^----------^^^ START 790: sizeof(avmb1_loadandconfigdef))) 791: return -EFAULT; 792: } 793: card = get_capi_ctr_by_nr(ldef.contr); 97: if (contr - 1 >= CAPI_MAXCONTR) 98: return NULL; 99: 100: return capi_cards[contr - 1]; ^^^---------^^^----------^^^ ERROR 101: } 102: 103: static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid) 104: { ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (((*(ca))).slot_info+((struct dvb_ca_slot*)((slot*112U)))). Expression bounds: [Upper bound unchecked]. Tracking "slot": signed, 0 bit(s)] SOURCE=[] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/media/dvb/dvb-core/dvb_ca_en50221.c, line 1324] ORIGINATOR=[cqsat] 1321: count -= 2; 1322: 1323: /* check if the slot is actually running */ 1324: if (ca->slot_info[slot].slot_state != DVB_CA_SLOTSTATE_RUNNING) ^^^---------^^^----------^^^ ERROR 1325: return -EINVAL; 1326: 1327: /* fragment the packets & store in the buffer */ 1328: while (fragpos < count) { ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression newFwSize used as length parameter in this context. Expression bounds: [No bounds check]. Tracking "newFwSize": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 1725] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 1738] ORIGINATOR=[cqsat] 1722: 1723: /* Allocate memory for the new FW image 1724: */ 1725: newFwSize = karg.newImageSize; ^^^---------^^^----------^^^ START 1726: 1727: if (newFwSize & 0x01) 1728: newFwSize += 1; 1729: if (newFwSize & 0x02) ...[skipping 6 line(s)]... 1735: 1736: /* Copy the data from user memory to kernel space 1737: */ 1738: if (copy_from_user(ioc->cached_fw, uarg->newImage, newFwSize)) { ^^^---------^^^----------^^^ ERROR 1739: printk(KERN_ERR "%s@%d::mptctl_replace_fw - " 1740: "Unable to read in mpt_ioctl_replace_fw image " 1741: "@ %p\n", __FILE__, __LINE__, uarg); 1742: mpt_free_fw_memory(ioc); ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (bufOut).len used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "(bufOut).len": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 2160] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 2176] ORIGINATOR=[cqsat] 2157: flagsLength = MPT_SGE_FLAGS_SSIMPLE_WRITE; 2158: } 2159: flagsLength |= karg.dataOutSize; 2160: bufOut.len = karg.dataOutSize; ^^^---------^^^----------^^^ START 2161: bufOut.kptr = pci_alloc_consistent( 2162: ioc->pcidev, bufOut.len, &dma_addr_out); 2163: 2164: if (bufOut.kptr == NULL) { ...[skipping 9 line(s)]... 2173: 2174: /* Copy user data to kernel space. 2175: */ 2176: if (copy_from_user(bufOut.kptr, ^^^---------^^^----------^^^ ERROR 2177: karg.dataOutBufPtr, 2178: bufOut.len)) { 2179: printk(KERN_ERR 2180: "%s@%d::mptctl_do_mpt_command - Unable " ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (karg).dataInSize used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "(karg).dataInSize": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 1775] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 2297] ORIGINATOR=[cqsat] 1772: 1773: dctlprintk(("mptctl_command called.\n")); 1774: 1775: if (copy_from_user(&karg, uarg, sizeof(struct mpt_ioctl_command))) { ^^^---------^^^----------^^^ START 1776: printk(KERN_ERR "%s@%d::mptctl_mpt_command - " 1777: "Unable to read in mpt_ioctl_command struct @ %p\n", 1778: __FILE__, __LINE__, uarg); 1779: return -EFAULT; ...[skipping 515 line(s)]... 2294: if ((ioc->ioctl->status & MPT_IOCTL_STATUS_COMMAND_GOOD) && 2295: (karg.dataInSize > 0) && (bufIn.kptr)) { 2296: 2297: if (copy_to_user(karg.dataInBufPtr, ^^^---------^^^----------^^^ ERROR 2298: bufIn.kptr, karg.dataInSize)) { 2299: printk(KERN_ERR "%s@%d::mptctl_do_mpt_command - " 2300: "Unable to write data to user %p\n", 2301: __FILE__, __LINE__, ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (fsa_dev_ptr+((struct fsa_dev_info*)(((qd).cnum*64U)))). Expression bounds: [No bounds check]. Tracking "(qd).cnum": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/aacraid/aachba.c, line 1788] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/aacraid/aachba.c, line 1800] ORIGINATOR=[cqsat] 1785: if (copy_from_user(&qd, arg, sizeof (struct aac_query_disk))) 1786: return -EFAULT; 1787: if (qd.cnum == -1) 1788: qd.cnum = qd.id; ^^^---------^^^----------^^^ START 1789: else if ((qd.bus == -1) && (qd.id == -1) && (qd.lun == -1)) 1790: { 1791: if (qd.cnum < 0 || qd.cnum >= dev->maximum_num_containers) 1792: return -EINVAL; ...[skipping 5 line(s)]... 1797: } 1798: else return -EINVAL; 1799: 1800: qd.valid = fsa_dev_ptr[qd.cnum].valid; ^^^---------^^^----------^^^ ERROR 1801: qd.locked = fsa_dev_ptr[qd.cnum].locked; 1802: qd.deleted = fsa_dev_ptr[qd.cnum].deleted; 1803: 1804: if (fsa_dev_ptr[qd.cnum].devname[0] == '\0') ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression ((gen).data_len+(gen).sense_len) used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "(gen).data_len": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/gdth.c, line 5095] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/gdth.c, line 5104] ORIGINATOR=[cqsat] 5092: gdth_ha_str *ha; 5093: int rval; 5094: 5095: if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)) || ^^^---------^^^----------^^^ START 5096: gen.ionode >= gdth_ctr_count) 5097: return -EFAULT; 5098: hanum = gen.ionode; 5099: ha = HADATA(gdth_ctr_tab[hanum]); ...[skipping 2 line(s)]... 5101: if (!(buf = gdth_ioctl_alloc(hanum, gen.data_len + gen.sense_len, 5102: FALSE, &paddr))) 5103: return -EFAULT; 5104: if (copy_from_user(buf, arg + sizeof(gdth_ioctl_general), ^^^---------^^^----------^^^ ERROR 5105: gen.data_len + gen.sense_len)) { 5106: gdth_ioctl_free(hanum, gen.data_len+gen.sense_len, buf, paddr); 5107: return -EFAULT; 5108: } ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression (uioc).xferlen used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "(uioc).xferlen": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid.c, line 3880] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid.c, line 3743] ORIGINATOR=[cqsat] 3877: /* 3878: * Choose the xferlen bigger of input and output data 3879: */ 3880: uioc->xferlen = uioc_mimd.outlen > uioc_mimd.inlen ? ^^^---------^^^----------^^^ START 3881: uioc_mimd.outlen : uioc_mimd.inlen; 3882: 3883: if( uioc_mimd.outlen ) uioc->flags = UIOC_RD; 3884: if( uioc_mimd.inlen ) uioc->flags |= UIOC_WR; 3740: * Is data going up-stream 3741: */ 3742: if( uioc.xferlen && (uioc.flags & UIOC_RD) ) { 3743: if( copy_to_user((char __user *)uxferaddr, data, ^^^---------^^^----------^^^ ERROR 3744: uioc.xferlen) ) { 3745: 3746: rval = (-EFAULT); 3747: } ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression sense_ptr. Expression bounds: [Upper bound unchecked]. Tracking "sense_ptr": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid/megaraid_sas.c, line 2562] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid/megaraid_sas.c, line 2564] ORIGINATOR=[cqsat] 2559: goto out; 2560: } 2561: 2562: sense_ptr = ^^^---------^^^----------^^^ START 2563: (u32 *) ((unsigned long)cmd->frame + ioc->sense_off); 2564: *sense_ptr = sense_handle; 2563: (u32 *) ((unsigned long)cmd->frame + ioc->sense_off); 2564: *sense_ptr = sense_handle; ^^^---------^^^----------^^^ ERROR 2565: } 2566: 2567: /* 2568: * Set the sync_cmd flag so that the ISR knows not to complete this ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression ((*(ioc))).sense_len used as length parameter in this context. Expression bounds: [Upper bound unchecked]. Tracking "(ioc)->sense_len": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid/megaraid_sas.c, line 2655] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid/megaraid_sas.c, line 2597] ORIGINATOR=[cqsat] 2652: if (!ioc) 2653: return -ENOMEM; 2654: 2655: if (copy_from_user(ioc, user_ioc, sizeof(*ioc))) { ^^^---------^^^----------^^^ START 2656: error = -EFAULT; 2657: goto out_kfree_ioc; 2658: } 2659: 2594: sense_ptr = (u32 *) ((unsigned long)ioc->frame.raw + 2595: ioc->sense_off); 2596: 2597: if (copy_to_user((void __user *)((unsigned long)(*sense_ptr)), ^^^---------^^^----------^^^ ERROR 2598: sense, ioc->sense_len)) { 2599: error = -EFAULT; 2600: goto out; 2601: } ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (kern_sge32+((struct megasas_sge32*)((i*8U)))). Expression bounds: [Upper bound unchecked]. Tracking "(kern_sge32).phys_addr": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid/megaraid_sas.c, line 2519] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/scsi/megaraid/megaraid_sas.c, line 2620] ORIGINATOR=[cqsat] 2516: * kernel buffers in SGLs. The location of SGL is embedded in the 2517: * struct iocpacket itself. 2518: */ 2519: kern_sge32 = (struct megasas_sge32 *) ^^^---------^^^----------^^^ START 2520: ((unsigned long)cmd->frame + ioc->sgl_off); 2521: 2522: /* 2523: * For each user buffer, create a mirror buffer and copy in ...[skipping 94 line(s)]... 2617: } 2618: 2619: for (i = 0; i < ioc->sge_count && kbuff_arr[i]; i++) { 2620: pci_free_consistent(instance->pdev, ^^^---------^^^----------^^^ ERROR 2621: kern_sge32[i].length, 2622: kbuff_arr[i], kern_sge32[i].phys_addr); 2623: } 2624: ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (((*(field))).usage+((struct hid_usage*)((((*(uref))).usage_index*16U)))). Expression bounds: [Upper bound unchecked]. Tracking "(uref)->usage_index": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/usb/input/hiddev.c, line 605] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/usb/input/hiddev.c, line 654] ORIGINATOR=[cqsat] 602: sizeof(*uref_multi))) 603: goto fault; 604: } else { 605: if (copy_from_user(uref, user_arg, sizeof(*uref))) ^^^---------^^^----------^^^ START 606: goto fault; 607: } 608: 609: if (cmd != HIDIOCGUSAGE && ...[skipping 42 line(s)]... 651: 652: case HIDIOCGCOLLECTIONINDEX: 653: kfree(uref_multi); 654: return field->usage[uref->usage_index].collection_index; ^^^---------^^^----------^^^ ERROR 655: case HIDIOCGUSAGES: 656: for (i = 0; i < uref_multi->num_values; i++) 657: uref_multi->values[i] = 658: field->value[uref->usage_index + i]; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression (sechdrs+((struct Elf32_Shdr*)((((*(hdr))).e_shstrndx*40U)))). Expression bounds: [Upper bound unchecked]. Tracking "(hdr)->e_shstrndx": unsigned, 16 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/kernel/module.c, line 1499] SINK=[/p0/working/Downloads/linux-2.6.18/kernel/module.c, line 1519] ORIGINATOR=[cqsat] 1496: /* vmalloc barfs on "unusual" numbers. Check here */ 1497: if (len > 64 * 1024 * 1024 || (hdr = vmalloc(len)) == NULL) 1498: return ERR_PTR(-ENOMEM); 1499: if (copy_from_user(hdr, umod, len) != 0) { ^^^---------^^^----------^^^ START 1500: err = -EFAULT; 1501: goto free_hdr; 1502: } 1503: ...[skipping 13 line(s)]... 1516: 1517: /* Convenience variables */ 1518: sechdrs = (void *)hdr + hdr->e_shoff; 1519: secstrings = (void *)hdr + sechdrs[hdr->e_shstrndx].sh_offset; ^^^---------^^^----------^^^ ERROR 1520: sechdrs[0].sh_addr = 0; 1521: 1522: for (i = 1; i < hdr->e_shnum; i++) { 1523: if (sechdrs[i].sh_type != SHT_NOBITS ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression header. Expression bounds: [Upper bound unchecked]. Tracking "(header).tp_status": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/net/packet/af_packet.c, line 1674] SINK=[/p0/working/Downloads/linux-2.6.18/net/packet/af_packet.c, line 1675] ORIGINATOR=[cqsat] 1671: int k; 1672: 1673: for (k = 0; k < po->frames_per_block; k++) { 1674: header = (struct tpacket_hdr *) ptr; ^^^---------^^^----------^^^ START 1675: header->tp_status = TP_STATUS_KERNEL; 1676: ptr += req->tp_frame_size; 1677: } 1675: header->tp_status = TP_STATUS_KERNEL; ^^^---------^^^----------^^^ ERROR 1676: ptr += req->tp_frame_size; 1677: } 1678: } 1679: /* Done */ ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression callback. Expression bounds: [No bounds check]. Tracking "(callback).owner": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/sound/core/seq/seq_clientmgr.c, line 1262] SINK=[/p0/working/Downloads/linux-2.6.18/sound/core/seq/seq_clientmgr.c, line 1263] ORIGINATOR=[cqsat] 1259: return -EINVAL; 1260: } 1261: if (client->type == KERNEL_CLIENT) { 1262: if ((callback = info.kernel) != NULL) { ^^^---------^^^----------^^^ START 1263: if (callback->owner) 1264: port->owner = callback->owner; 1265: port->private_data = callback->private_data; 1263: if (callback->owner) ^^^---------^^^----------^^^ ERROR 1264: port->owner = callback->owner; 1265: port->private_data = callback->private_data; 1266: port->private_free = callback->private_free; 1267: port->callback_all = callback->callback_all; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Dangerous dereference of tainted expression callback. Expression bounds: [No bounds check]. Tracking "(callback).owner": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/sound/core/seq/seq_clientmgr.c, line 1262] SINK=[/p0/working/Downloads/linux-2.6.18/sound/core/seq/seq_clientmgr.c, line 1264] ORIGINATOR=[cqsat] 1259: return -EINVAL; 1260: } 1261: if (client->type == KERNEL_CLIENT) { 1262: if ((callback = info.kernel) != NULL) { ^^^---------^^^----------^^^ START 1263: if (callback->owner) 1264: port->owner = callback->owner; 1263: if (callback->owner) 1264: port->owner = callback->owner; ^^^---------^^^----------^^^ ERROR 1265: port->private_data = callback->private_data; 1266: port->private_free = callback->private_free; 1267: port->callback_all = callback->callback_all; 1268: port->event_input = callback->event_input; ============================================================================== SEVERITY=[SERIOUS] ISSUE=[Tainted expression voice_offset used as an index in this context. Expression bounds: [Upper bound unchecked]. Tracking "voice_offset": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/sound/drivers/opl3/opl3_synth.c, line 308] SINK=[/p0/working/Downloads/linux-2.6.18/sound/drivers/opl3/opl3_synth.c, line 311] ORIGINATOR=[cqsat] 305: } else { 306: /* Right register block for voices 9 .. 17 */ 307: reg_side = OPL3_RIGHT; 308: voice_offset = voice->voice - MAX_OPL2_VOICES; ^^^---------^^^----------^^^ START 309: } 310: /* Get register offset of operator */ 310: /* Get register offset of operator */ 311: op_offset = snd_opl3_regmap[voice_offset][voice->op]; ^^^---------^^^----------^^^ ERROR 312: 313: reg_val = 0x00; 314: /* Set amplitude modulation (tremolo) effect */ 315: if (voice->am) ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (iocommand).buf_size used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(iocommand).buf_size": unsigned, 16 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/block/cciss.c, line 890] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/block/cciss.c, line 903] ORIGINATOR=[cqsat] 887: if (!capable(CAP_SYS_RAWIO)) 888: return -EPERM; 889: 890: if (copy_from_user ^^^---------^^^----------^^^ START 891: (&iocommand, argp, sizeof(IOCTL_Command_struct))) 892: return -EFAULT; 893: if ((iocommand.buf_size < 1) && 894: (iocommand.Request.Type.Direction != XFER_NONE)) { ...[skipping 6 line(s)]... 900: return -EINVAL; 901: #endif 902: if (iocommand.buf_size > 0) { 903: buff = kmalloc(iocommand.buf_size, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 904: if (buff == NULL) 905: return -EFAULT; 906: } 907: if (iocommand.Request.Type.Direction == XFER_WRITE) { ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression size used as a size argument to a memory allocation function. Expression bounds: [No bounds check]. Tracking "size": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/r128_state.c, line 911] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/char/drm/drmP.h, line 1072] ORIGINATOR=[cqsat] 908: return DRM_ERR(EFAULT); 909: } 910: 911: buffer_size = depth->n * sizeof(u32); ^^^---------^^^----------^^^ START 912: buffer = drm_alloc(buffer_size, DRM_MEM_BUFS); 913: if (buffer == NULL) 914: return DRM_ERR(ENOMEM); 915: if (DRM_COPY_FROM_USER(buffer, depth->buffer, buffer_size)) { 1069: /** Wrapper around kmalloc() */ 1070: static __inline__ void *drm_alloc(size_t size, int area) 1071: { 1072: return kmalloc(size, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 1073: } 1074: 1075: /** Wrapper around kfree() */ 1076: static __inline__ void drm_free(void *pt, size_t size, int area) ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression ((cmd).ne*48U) used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(cmd).ne": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/infiniband/core/uverbs_cmd.c, line 904] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/infiniband/core/uverbs_cmd.c, line 907] ORIGINATOR=[cqsat] 901: int i; 902: int rsize; 903: 904: if (copy_from_user(&cmd, buf, sizeof cmd)) ^^^---------^^^----------^^^ START 905: return -EFAULT; 906: 906: 907: wc = kmalloc(cmd.ne * sizeof *wc, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 908: if (!wc) 909: return -ENOMEM; 910: 911: rsize = sizeof *resp + cmd.ne * sizeof(struct ib_uverbs_wc); ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression len used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "len": unsigned, 16 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/isdn/i4l/isdn_ppp.c, line 447] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/isdn/i4l/isdn_ppp.c, line 448] ORIGINATOR=[cqsat] 444: } 445: 446: /* uprog.len is unsigned short, so no overflow here */ 447: len = uprog.len * sizeof(struct sock_filter); ^^^---------^^^----------^^^ START 448: code = kmalloc(len, GFP_KERNEL); 449: if (code == NULL) 450: return -ENOMEM; 448: code = kmalloc(len, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 449: if (code == NULL) 450: return -ENOMEM; 451: 452: if (copy_from_user(code, uprog.filter, len)) { ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (tmp).data_size used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(tmp).data_size": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/md/dm-ioctl.c, line 1346] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/md/dm-ioctl.c, line 1352] ORIGINATOR=[cqsat] 1343: { 1344: struct dm_ioctl tmp, *dmi; 1345: 1346: if (copy_from_user(&tmp, user, sizeof(tmp))) ^^^---------^^^----------^^^ START 1349: if (tmp.data_size < sizeof(tmp)) 1350: return -EINVAL; 1351: 1352: dmi = (struct dm_ioctl *) vmalloc(tmp.data_size); ^^^---------^^^----------^^^ ERROR 1353: if (!dmi) 1354: return -ENOMEM; 1355: 1356: if (copy_from_user(dmi, user, tmp.data_size)) { ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression numBytes used as a size argument to a memory allocation function. Expression bounds: [No bounds check]. Tracking "numBytes": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 1356] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/message/fusion/mptctl.c, line 1380] ORIGINATOR=[cqsat] 1353: * in the returned structure. 1354: * Ignore the port setting. 1355: */ 1356: numBytes = karg.hdr.maxDataSize - sizeof(mpt_ioctl_header); ^^^---------^^^----------^^^ START 1357: maxWordsLeft = numBytes/sizeof(int); 1358: port = karg.hdr.port; 1359: 1360: if (maxWordsLeft <= 0) { ...[skipping 17 line(s)]... 1377: * 15- 8: Bus Number 1378: * 7- 0: Target ID 1379: */ 1380: pmem = kmalloc(numBytes, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 1381: if (pmem == NULL) { 1382: printk(KERN_ERR "%s::mptctl_gettargetinfo() @%d - no memory available!\n", 1383: __FILE__, __LINE__); 1384: return -ENOMEM; ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (kcmd).oplen used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(kcmd).oplen": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/message/i2o/i2o_config.c, line 175] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/message/i2o/i2o_config.c, line 189] ORIGINATOR=[cqsat] 172: u32 i2o_cmd = (type == I2OPARMGET ? 173: I2O_CMD_UTIL_PARAMS_GET : I2O_CMD_UTIL_PARAMS_SET); 174: 175: if (copy_from_user(&kcmd, cmd, sizeof(struct i2o_cmd_psetget))) ^^^---------^^^----------^^^ START 176: return -EFAULT; 177: 178: if (get_user(reslen, kcmd.reslen)) 179: return -EFAULT; ...[skipping 7 line(s)]... 186: if (!dev) 187: return -ENXIO; 188: 189: ops = (u8 *) kmalloc(kcmd.oplen, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 190: if (!ops) 191: return -ENOMEM; 192: 193: if (copy_from_user(ops, kcmd.opbuf, kcmd.oplen)) { ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression len used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "len": unsigned, 16 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/net/ppp_generic.c, line 531] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/net/ppp_generic.c, line 532] ORIGINATOR=[cqsat] 528: return 0; 529: } 530: 531: len = uprog.len * sizeof(struct sock_filter); ^^^---------^^^----------^^^ START 532: code = kmalloc(len, GFP_KERNEL); 533: if (code == NULL) 534: return -ENOMEM; 532: code = kmalloc(len, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 533: if (code == NULL) 534: return -ENOMEM; 535: 536: if (copy_from_user(code, uprog.filter, len)) { ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (xc).len used as a size argument to a memory allocation function. Expression bounds: [No bounds check]. Tracking "(xc).len": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/net/wan/lmc/lmc_main.c, line 349] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/net/wan/lmc/lmc_main.c, line 486] ORIGINATOR=[cqsat] 346: */ 347: netif_stop_queue(dev); 348: 349: if (copy_from_user(&xc, ifr->ifr_data, sizeof (struct lmc_xilinx_control))) ^^^---------^^^----------^^^ START 350: return -EFAULT; 351: switch(xc.command){ 352: case lmc_xilinx_reset: /*fold02*/ 353: { ...[skipping 130 line(s)]... 483: break; 484: } 485: 486: data = kmalloc(xc.len, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 487: if(data == 0x0){ 488: printk(KERN_WARNING "%s: Failed to allocate memory for copy\n", dev->name); 489: ret = -ENOMEM; 490: break; ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (mem).len used as a size argument to a memory allocation function. Expression bounds: [No bounds check]. Tracking "(mem).len": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/net/wan/sdla.c, line 1201] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/net/wan/sdla.c, line 1206] ORIGINATOR=[cqsat] 1198: struct sdla_mem mem; 1199: char *temp; 1200: 1201: if(copy_from_user(&mem, info, sizeof(mem))) ^^^---------^^^----------^^^ START 1202: return -EFAULT; 1204: if (read) 1205: { 1206: temp = kmalloc(mem.len, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 1207: if (!temp) 1208: return(-ENOMEM); 1209: memset(temp, 0, mem.len); 1210: sdla_read(dev, mem.addr, temp, mem.len); ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (com).len used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(com).len": unsigned, 16 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/net/wireless/atmel.c, line 2608] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/net/wireless/atmel.c, line 2618] ORIGINATOR=[cqsat] 2605: break; 2606: 2607: case ATMELFWL: 2608: if (copy_from_user(&com, rq->ifr_data, sizeof(com))) { ^^^---------^^^----------^^^ START 2609: rc = -EFAULT; 2610: break; 2611: } 2612: ...[skipping 3 line(s)]... 2615: break; 2616: } 2617: 2618: if (!(new_firmware = kmalloc(com.len, GFP_KERNEL))) { ^^^---------^^^----------^^^ ERROR 2619: rc = -ENOMEM; 2620: break; 2621: } 2622: ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (len+2U) used as a size argument to a memory allocation function. Expression bounds: [Lower bound unchecked]. Tracking "len": signed, 288 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/net/wireless/hostap/hostap_ioctl.c, line 3751] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/net/wireless/hostap/hostap_ioctl.c, line 3102] ORIGINATOR=[cqsat] 3748: { 3749: int max_len, len; 3750: 3751: len = param->u.generic_elem.len; ^^^---------^^^----------^^^ START 3752: max_len = param_len - PRISM2_HOSTAPD_GENERIC_ELEMENT_HDR_LEN; 3753: if (max_len < 0 || max_len < len) 3754: return -EINVAL; 3755: 3099: * Add 16-bit length in the beginning of the buffer because Prism2 RID 3100: * includes it. 3101: */ 3102: buf = kmalloc(len + 2, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 3103: if (buf == NULL) 3104: return -ENOMEM; 3105: 3106: *((u16 *) buf) = cpu_to_le16(len); ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression alen used as a size argument to a memory allocation function. Expression bounds: [Lower bound unchecked]. Tracking "alen": signed, 288 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/net/wireless/prism54/isl_ioctl.c, line 2167] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/net/wireless/prism54/isl_ioctl.c, line 2168] ORIGINATOR=[cqsat] 2164: if (max_len < 0 || max_len < len) 2165: return -EINVAL; 2166: 2167: alen = sizeof(*attach) + len; ^^^---------^^^----------^^^ START 2168: attach = kmalloc(alen, GFP_KERNEL); 2169: if (attach == NULL) 2170: return -ENOMEM; 2168: attach = kmalloc(alen, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 2169: if (attach == NULL) 2170: return -ENOMEM; 2171: 2172: memset(attach, 0, alen); ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression ((*(uurb))).buffer_length used as a size argument to a memory allocation function. Expression bounds: [Lower bound unchecked]. Tracking "(uurb)->buffer_length": signed, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/drivers/usb/core/devio.c, line 1082] SINK=[/p0/working/Downloads/linux-2.6.18/drivers/usb/core/devio.c, line 1026] ORIGINATOR=[cqsat] 1079: { 1080: struct usbdevfs_urb uurb; 1081: 1082: if (copy_from_user(&uurb, arg, sizeof(uurb))) ^^^---------^^^----------^^^ START 1083: return -EFAULT; 1084: 1085: return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg); 1086: } 1023: kfree(dr); 1024: return -ENOMEM; 1025: } 1026: if (!(as->urb->transfer_buffer = kmalloc(uurb->buffer_length, GFP_KERNEL))) { ^^^---------^^^----------^^^ ERROR 1027: kfree(isopkt); 1028: kfree(dr); 1029: free_async(as); 1030: return -ENOMEM; ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression ((hlp).num_counters*16U) used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(hlp).num_counters": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/net/bridge/netfilter/ebtables.c, line 1238] SINK=[/p0/working/Downloads/linux-2.6.18/net/bridge/netfilter/ebtables.c, line 1246] ORIGINATOR=[cqsat] 1235: struct ebt_replace hlp; 1236: struct ebt_table *t; 1237: 1238: if (copy_from_user(&hlp, user, sizeof(hlp))) ^^^---------^^^----------^^^ START 1239: return -EFAULT; 1240: 1241: if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) 1242: return -EINVAL; ...[skipping 1 line(s)]... 1243: if (hlp.num_counters == 0) 1244: return -EINVAL; 1245: 1246: if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) { ^^^---------^^^----------^^^ ERROR 1247: MEMPRINT("Update_counters && nomemory\n"); 1248: return -ENOMEM; 1249: } 1250: ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (tmp).entries_size used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(tmp).entries_size": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/net/bridge/netfilter/ebtables.c, line 925] SINK=[/p0/working/Downloads/linux-2.6.18/net/bridge/netfilter/ebtables.c, line 953] ORIGINATOR=[cqsat] 922: /* used to be able to unlock earlier */ 923: struct ebt_table_info *table; 924: 925: if (copy_from_user(&tmp, user, sizeof(tmp)) != 0) ^^^---------^^^----------^^^ START 926: return -EFAULT; 927: 928: if (len != sizeof(tmp) + tmp.entries_size) { 929: BUGPRINT("Wrong len argument\n"); ...[skipping 21 line(s)]... 950: if (countersize) 951: memset(newinfo->counters, 0, countersize); 952: 953: newinfo->entries = vmalloc(tmp.entries_size); ^^^---------^^^----------^^^ ERROR 954: if (!newinfo->entries) { 955: ret = -ENOMEM; 956: goto free_newinfo; 957: } ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (epaddr).size used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(epaddr).size": unsigned, 32 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/net/core/ethtool.c, line 775] SINK=[/p0/working/Downloads/linux-2.6.18/net/core/ethtool.c, line 778] ORIGINATOR=[cqsat] 772: if (!dev->ethtool_ops->get_perm_addr) 773: return -EOPNOTSUPP; 774: 775: if (copy_from_user(&epaddr,useraddr,sizeof(epaddr))) ^^^---------^^^----------^^^ START 776: return -EFAULT; 777: 777: 778: data = kmalloc(epaddr.size, GFP_USER); ^^^---------^^^----------^^^ ERROR 779: if (!data) 780: return -ENOMEM; 781: 782: ret = dev->ethtool_ops->get_perm_addr(dev,&epaddr,data); ============================================================================== SEVERITY=[WARNING] ISSUE=[Tainted expression (opt).dccpsf_len used as a size argument to a memory allocation function. Expression bounds: [Upper bound unchecked]. Tracking "(opt).dccpsf_len": unsigned, 8 bit(s)] SOURCE=[/p0/working/Downloads/linux-2.6.18/net/dccp/proto.c, line 432] SINK=[/p0/working/Downloads/linux-2.6.18/net/dccp/proto.c, line 435] ORIGINATOR=[cqsat] 429: u8 *val; 430: int rc; 431: 432: if (copy_from_user(&opt, optval, sizeof(opt))) ^^^---------^^^----------^^^ START 433: return -EFAULT; 434: 434: 435: val = kmalloc(opt.dccpsf_len, GFP_KERNEL); ^^^---------^^^----------^^^ ERROR 436: if (!val) 437: return -ENOMEM; 438: 439: if (copy_from_user(val, opt.dccpsf_val, opt.dccpsf_len)) {