From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F276541C2ED; Wed, 4 Feb 2026 15:09:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770217786; cv=none; b=l6QRJrjawS6xBbL2mimtulC6Bs6epUsvugM05J39Cv6BADEKYUkJ2S1Qu0KtuuYE7QZgeFoNg/z8Oeuz6PavkAjPkuwooR3Ixu5OgMjrrpFKKsvaM+BFEALvDXii5CyDvYztdJb82WuhgVeCJV4oc+J5/OYuOhLWJg7Yz42Q7hw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770217786; c=relaxed/simple; bh=V3KOP2FdqfLj5ugLLZKOX27GdQ0Otc9NYkvFCK5y2eY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AuN2Kpwn5EykEYpYfN6SgfSg/On7OoT91RN53PD9Sg8R9WXQEf9WXj5c7D18bnZzmFu+XdMF3bGzNm6uz6+t036D676agioeZX6UVIQ26vq7oybCzNQ6x3vexSaY1VbLZ/SKvdihIbEw7fQukiOkT+mq0ADvTGCP0IaVJaApISg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ygiyYX4z; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ygiyYX4z" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76D5CC4CEF7; Wed, 4 Feb 2026 15:09:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1770217785; bh=V3KOP2FdqfLj5ugLLZKOX27GdQ0Otc9NYkvFCK5y2eY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ygiyYX4ztbUEfJQNGdJ0RvX3Ffc+a6fgzae73emMF1p0xbJpqUdEmMd8NpNFKjOS2 8bBFLsegler7PcHgg2nObl1sw/d4x/X0m3k6jBIOEXVjF89ODTZSNzsGqgJ9VhPAbd eg0T8Mzreq+LhmUcDrilLnYwRYHK0P+fKOdtq3GY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Thorsten Blum , Krzysztof Kozlowski Subject: [PATCH 6.1 117/280] w1: therm: Fix off-by-one buffer overflow in alarms_store Date: Wed, 4 Feb 2026 15:38:11 +0100 Message-ID: <20260204143913.850463356@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260204143909.614719725@linuxfoundation.org> References: <20260204143909.614719725@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Thorsten Blum commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a upstream. The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. Cc: stable@vger.kernel.org Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") Signed-off-by: Thorsten Blum Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman --- drivers/w1/slaves/w1_therm.c | 60 +++++++++++++------------------------------ 1 file changed, 19 insertions(+), 41 deletions(-) --- a/drivers/w1/slaves/w1_therm.c +++ b/drivers/w1/slaves/w1_therm.c @@ -1846,53 +1846,35 @@ static ssize_t alarms_store(struct devic struct w1_slave *sl = dev_to_w1_slave(device); struct therm_info info; u8 new_config_register[3]; /* array of data to be written */ - int temp, ret; - char *token = NULL; + long long temp; + int ret = 0; s8 tl, th; /* 1 byte per value + temp ring order */ - char *p_args, *orig; + const char *p = buf; + char *endp; - p_args = orig = kmalloc(size, GFP_KERNEL); - /* Safe string copys as buf is const */ - if (!p_args) { - dev_warn(device, - "%s: error unable to allocate memory %d\n", - __func__, -ENOMEM); - return size; - } - strcpy(p_args, buf); - - /* Split string using space char */ - token = strsep(&p_args, " "); - - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - - /* Convert 1st entry to int */ - ret = kstrtoint (token, 10, &temp); + temp = simple_strtoll(p, &endp, 10); + if (p == endp || *endp != ' ') + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + return size; } tl = int_to_short(temp); - /* Split string using space char */ - token = strsep(&p_args, " "); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - /* Convert 2nd entry to int */ - ret = kstrtoint (token, 10, &temp); + p = endp + 1; + temp = simple_strtoll(p, &endp, 10); + if (p == endp) + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + return size; } /* Prepare to cast to short by eliminating out of range values */ @@ -1915,7 +1897,7 @@ static ssize_t alarms_store(struct devic dev_info(device, "%s: error reading from the slave device %d\n", __func__, ret); - goto free_m; + return size; } /* Write data in the device RAM */ @@ -1923,7 +1905,7 @@ static ssize_t alarms_store(struct devic dev_info(device, "%s: Device not supported by the driver %d\n", __func__, -ENODEV); - goto free_m; + return size; } ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); @@ -1932,10 +1914,6 @@ static ssize_t alarms_store(struct devic "%s: error writing to the slave device %d\n", __func__, ret); -free_m: - /* free allocated memory */ - kfree(orig); - return size; }