| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <DB14BF54-DA19-408C-8D0E-65279AF19282@linux.dev>
Date: Wed, 29 Oct 2025 16:25:59 +0100
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: David Laight <david.laight.linux@...il.com>,
Krzysztof Kozlowski <krzk@...nel.org>,
Huisong Li <lihuisong@...wei.com>,
Akira Shimahara <akira215corp@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: stable@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] w1: therm: Fix off-by-one buffer overflow in
alarms_store
On 29. Oct 2025, at 14:00, Thorsten Blum wrote:
> The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
> bytes and a NUL terminator is appended. However, the 'size' argument
> does not account for this extra byte. The original code then allocated
> 'size' bytes and used strcpy() to copy 'buf', which always writes one
> byte past the allocated buffer since strcpy() copies until the NUL
> terminator at index 'size'.
>
> Fix this by parsing the 'buf' parameter directly using simple_strtol()
> without allocating any intermediate memory or string copying. This
> removes the overflow while simplifying the code.
>
> Cc: stable@...r.kernel.org
> Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
> ---
I should still add overflow detection to simple_strtol() to match the
behavior of kstrtoint(), but please let me know what you think of the
current version first.
Thanks,
Thorsten
Powered by blists - more mailing lists