From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14E7B371046 for ; Wed, 28 Jan 2026 18:25:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769624757; cv=none; b=jBLTyuFcKwnkD25VHVBDfqvuM4D5cM58g5DtpyD+KhHd7PgDe8O1w0SwupsxmDgrN0hYhwcjzBU0kP0X/STY/iBwSEhCHWhi0UfGD+I1syX31WqwB7kL2EXqQZb7zgnZGU2Skmn+hwKLaMPwb9LXNYZdZ4LBr64QGihWN8VcqDs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769624757; c=relaxed/simple; bh=+1Y90Rj300NgAvzinOZyxDTjHQWWRQCXI+caTvlvyFQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UoSivZ0v3E+jYzUi7E01Q19hLhOYQtEuuHEJKLbkjqj0BMC3qW1oy1V4CJZPxAWOoFPWFiXh63DUmcfRneTa+khfFhGAkkNkujii047Mfmc9MZ95moBM80kI9tSScPlPK5dAkPneY7ckelwpf6qVQ/u37nwo6qS2FIxS3uTfQfY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VVDfPhwM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VVDfPhwM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 118AFC4CEF7; Wed, 28 Jan 2026 18:25:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1769624756; bh=+1Y90Rj300NgAvzinOZyxDTjHQWWRQCXI+caTvlvyFQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VVDfPhwMdeUj2i7u0DRXgpfS15Ypv1+7Wy9VUPFdRkirQFRxuY3+4mPfxCaisWaBQ tioriNjs6oVFM3xvnmZQyGbfPlJHPfFpHvR10tkvZNXXagHdBTWu/CQNYo/IFtH1H8 wMYpLriKHQL5XSsotD/VFHkIzIMWnzJdPbR77JyDTpRB8RKARY5Tqt5teTZRjS2+Nn CC6AaryTqQL2Lxuyq7XVMHqXwU3Ur+lBELvn6fl3FuzBsw4RFdsLZCMVqiSwIEEG/E tI783oudywblH31Owm5bEzQML3lni+ozpX/Ja64hDqp6axLJNUsBz4wXFEGW5kU1bV 1Yjymu5Me1KhQ== From: Sasha Levin To: stable@vger.kernel.org Cc: Thorsten Blum , Krzysztof Kozlowski , Sasha Levin Subject: [PATCH 5.10.y 2/2] w1: therm: Fix off-by-one buffer overflow in alarms_store Date: Wed, 28 Jan 2026 13:25:52 -0500 Message-ID: <20260128182552.2659610-2-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260128182552.2659610-1-sashal@kernel.org> References: <2026012736-refined-nullify-a548@gregkh> <20260128182552.2659610-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Thorsten Blum [ Upstream commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a ] The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. Cc: stable@vger.kernel.org Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin --- drivers/w1/slaves/w1_therm.c | 62 ++++++++++++------------------------ 1 file changed, 20 insertions(+), 42 deletions(-) diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c index ad8276cc82f5b..8c97706cfc28c 100644 --- a/drivers/w1/slaves/w1_therm.c +++ b/drivers/w1/slaves/w1_therm.c @@ -1781,53 +1781,35 @@ static ssize_t alarms_store(struct device *device, struct w1_slave *sl = dev_to_w1_slave(device); struct therm_info info; u8 new_config_register[3]; /* array of data to be written */ - int temp, ret; - char *token = NULL; + long long temp; + int ret = 0; s8 tl, th; /* 1 byte per value + temp ring order */ - char *p_args, *orig; - - p_args = orig = kmalloc(size, GFP_KERNEL); - /* Safe string copys as buf is const */ - if (!p_args) { - dev_warn(device, - "%s: error unable to allocate memory %d\n", - __func__, -ENOMEM); - return size; - } - strcpy(p_args, buf); - - /* Split string using space char */ - token = strsep(&p_args, " "); - - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - - /* Convert 1st entry to int */ - ret = kstrtoint (token, 10, &temp); + const char *p = buf; + char *endp; + + temp = simple_strtoll(p, &endp, 10); + if (p == endp || *endp != ' ') + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + return size; } tl = int_to_short(temp); - /* Split string using space char */ - token = strsep(&p_args, " "); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - /* Convert 2nd entry to int */ - ret = kstrtoint (token, 10, &temp); + p = endp + 1; + temp = simple_strtoll(p, &endp, 10); + if (p == endp) + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + return size; } /* Prepare to cast to short by eliminating out of range values */ @@ -1850,7 +1832,7 @@ static ssize_t alarms_store(struct device *device, dev_info(device, "%s: error reading from the slave device %d\n", __func__, ret); - goto free_m; + return size; } /* Write data in the device RAM */ @@ -1858,7 +1840,7 @@ static ssize_t alarms_store(struct device *device, dev_info(device, "%s: Device not supported by the driver %d\n", __func__, -ENODEV); - goto free_m; + return size; } ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); @@ -1867,10 +1849,6 @@ static ssize_t alarms_store(struct device *device, "%s: error writing to the slave device %d\n", __func__, ret); -free_m: - /* free allocated memory */ - kfree(orig); - return size; } -- 2.51.0