| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026020412-CVE-2025-71197-cfe2@gregkh> Date: Wed, 4 Feb 2026 17:14:12 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71197: w1: therm: Fix off-by-one buffer overflow in alarms_store From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. The Linux kernel CVE team has assigned CVE-2025-71197 to this issue. Affected and fixed versions =========================== Issue introduced in 5.8 with commit e2c94d6f572079511945e64537eb1218643f2e68 and fixed in 6.6.122 with commit 6a5820ecfa5a76c3d3e154802c8c15f391ef442e Issue introduced in 5.8 with commit e2c94d6f572079511945e64537eb1218643f2e68 and fixed in 6.12.68 with commit 6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 Issue introduced in 5.8 with commit e2c94d6f572079511945e64537eb1218643f2e68 and fixed in 6.18.8 with commit e6b2609af21b5cccc9559339591b8a2cbf884169 Issue introduced in 5.8 with commit e2c94d6f572079511945e64537eb1218643f2e68 and fixed in 6.19-rc7 with commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71197 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/w1/slaves/w1_therm.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169 https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a
Powered by blists - more mailing lists