| Message ID | 514ef814-458d-4421-b93d-2d30bdc4a1e7@moroto.mountain |
|---|---|
| State | Accepted |
| Commit | c99626092efca3061b387043d4a7399bf75fbdd5 |
| Headers | show |
| Series | thermal: core: prevent potential string overflow | expand |
On Sat, Oct 7, 2023 at 10:59 AM Dan Carpenter <dan.carpenter@linaro.org> wrote: > > The dev->id value comes from ida_alloc() so it's a number between zero > and INT_MAX. If it's too high then these sprintf()s will overflow. > > Fixes: 203d3d4aa482 ("the generic thermal sysfs driver") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/thermal/thermal_core.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c > index 45d0aa0b69b7..61f0b5a3b00c 100644 > --- a/drivers/thermal/thermal_core.c > +++ b/drivers/thermal/thermal_core.c > @@ -681,7 +681,8 @@ int thermal_bind_cdev_to_trip(struct thermal_zone_device *tz, > if (result) > goto release_ida; > > - sprintf(dev->attr_name, "cdev%d_trip_point", dev->id); > + snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point", > + dev->id); > sysfs_attr_init(&dev->attr.attr); > dev->attr.attr.name = dev->attr_name; > dev->attr.attr.mode = 0444; > @@ -690,7 +691,8 @@ int thermal_bind_cdev_to_trip(struct thermal_zone_device *tz, > if (result) > goto remove_symbol_link; > > - sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id); > + snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name), > + "cdev%d_weight", dev->id); > sysfs_attr_init(&dev->weight_attr.attr); > dev->weight_attr.attr.name = dev->weight_attr_name; > dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO; > -- Applied as 6.7 material, thanks!
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 45d0aa0b69b7..61f0b5a3b00c 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -681,7 +681,8 @@ int thermal_bind_cdev_to_trip(struct thermal_zone_device *tz, if (result) goto release_ida; - sprintf(dev->attr_name, "cdev%d_trip_point", dev->id); + snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point", + dev->id); sysfs_attr_init(&dev->attr.attr); dev->attr.attr.name = dev->attr_name; dev->attr.attr.mode = 0444; @@ -690,7 +691,8 @@ int thermal_bind_cdev_to_trip(struct thermal_zone_device *tz, if (result) goto remove_symbol_link; - sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id); + snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name), + "cdev%d_weight", dev->id); sysfs_attr_init(&dev->weight_attr.attr); dev->weight_attr.attr.name = dev->weight_attr_name; dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO;
The dev->id value comes from ida_alloc() so it's a number between zero and INT_MAX. If it's too high then these sprintf()s will overflow. Fixes: 203d3d4aa482 ("the generic thermal sysfs driver") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/thermal/thermal_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)