It has reports for pattern where unchecked values obtained from the user level that may be used as array indices or loop bounds.
It has reports where copy_from_user is used.
What is copy_from_user?
It is to copy a block of data from user space. Copy data from user space to kernel space.
Returns number of bytes that could not be copied. On success, this will be zero.
If some data could not be copied, this function will pad the copied data to the requested size using zero bytes.
As I described here also, using values taken from user as array or loop bounds without check, is bad.
There was only one TODO in this org file.
What is it? A FP or a Bug?
Oh, it is a bug. They have used value taken form user using copy_from_user as array bound.
I’ll be sending patches to fix these issues once I’m done with the work of annonating the reports.