lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6d4b05af-40ec-4bbf-9045-f259315e5332@kernel.org>
Date: Tue, 16 Dec 2025 14:16:11 +0100
From: Krzysztof Kozlowski <krzk@...nel.org>
To: David Laight <david.laight.linux@...il.com>
Cc: Thorsten Blum <thorsten.blum@...ux.dev>, Huisong Li
 <lihuisong@...wei.com>, Akira Shimahara <akira215corp@...il.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] w1: therm: Fix off-by-one buffer overflow in
 alarms_store

On 16/12/2025 10:28, David Laight wrote:
> On Tue, 16 Dec 2025 08:11:13 +0100
> Krzysztof Kozlowski <krzk@...nel.org> wrote:
> 
>> On 11/11/2025 21:44, Thorsten Blum wrote:
>>> The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
>>> bytes and a NUL terminator is appended. However, the 'size' argument
>>> does not account for this extra byte. The original code then allocated
>>> 'size' bytes and used strcpy() to copy 'buf', which always writes one
>>> byte past the allocated buffer since strcpy() copies until the NUL
>>> terminator at index 'size'.
>>>
>>> Fix this by parsing the 'buf' parameter directly using simple_strtoll()
>>> without allocating any intermediate memory or string copying. This
>>> removes the overflow while simplifying the code.
>>>
>>> Cc: stable@...r.kernel.org
>>> Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
>>> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
>>> ---
>>> Compile-tested only.
>>>
>>> Changes in v4:
>>> - Use simple_strtoll because kstrtoint also parses long long internally
>>> - Return -ERANGE in addition to -EINVAL to match kstrtoint's behavior
>>> - Remove any changes unrelated to fixing the buffer overflow (Krzysztof)
>>>   while maintaining the same behavior and return values as before
>>> - Link to v3: https://lore.kernel.org/lkml/20251030155614.447905-1-thorsten.blum@linux.dev/
>>>
>>> Changes in v3:
>>> - Add integer range check for 'temp' to match kstrtoint() behavior
>>> - Explicitly cast 'temp' to int when calling int_to_short()
>>> - Link to v2: https://lore.kernel.org/lkml/20251029130045.70127-2-thorsten.blum@linux.dev/
>>>
>>> Changes in v2:
>>> - Fix buffer overflow instead of truncating the copy using strscpy()
>>> - Parse buffer directly using simple_strtol() as suggested by David
>>> - Update patch subject and description
>>> - Link to v1: https://lore.kernel.org/lkml/20251017170047.114224-2-thorsten.blum@linux.dev/
>>> ---
>>>  drivers/w1/slaves/w1_therm.c | 64 ++++++++++++------------------------
>>>  1 file changed, 21 insertions(+), 43 deletions(-)
>>>
>>> diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c
>>> index 9ccedb3264fb..5707fa34e804 100644
>>> --- a/drivers/w1/slaves/w1_therm.c
>>> +++ b/drivers/w1/slaves/w1_therm.c
>>> @@ -1836,55 +1836,36 @@ static ssize_t alarms_store(struct device *device,
>>>  	struct w1_slave *sl = dev_to_w1_slave(device);
>>>  	struct therm_info info;
>>>  	u8 new_config_register[3];	/* array of data to be written */
>>> -	int temp, ret;
>>> -	char *token = NULL;
>>> +	long long temp;
>>> +	int ret = 0;
>>>  	s8 tl, th;	/* 1 byte per value + temp ring order */
>>> -	char *p_args, *orig;
>>> -
>>> -	p_args = orig = kmalloc(size, GFP_KERNEL);
>>> -	/* Safe string copys as buf is const */
>>> -	if (!p_args) {
>>> -		dev_warn(device,
>>> -			"%s: error unable to allocate memory %d\n",
>>> -			__func__, -ENOMEM);
>>> -		return size;
>>> -	}
>>> -	strcpy(p_args, buf);
>>> -
>>> -	/* Split string using space char */
>>> -	token = strsep(&p_args, " ");
>>> -
>>> -	if (!token)	{
>>> -		dev_info(device,
>>> -			"%s: error parsing args %d\n", __func__, -EINVAL);
>>> -		goto free_m;
>>> -	}
>>> -
>>> -	/* Convert 1st entry to int */
>>> -	ret = kstrtoint (token, 10, &temp);
>>> +	const char *p = buf;
>>> +	char *endp;
>>> +
>>> +	temp = simple_strtoll(p, &endp, 10);  
>>
>> Why using this, instead of explicitly encouraged kstrtoll()?
> 
> Because the code needs to look at the terminating character.
> The kstrtoxxx() family only support buffers that contain a single value.
> While they return an indication of 'overflow' they are useless for
> more general parameter parsing.
> 
> The simple_strtoxxx() could detect overflow and then set 'endp'
> to the digit that make the value too big - which should give an
> error provided the callers checks the separator.


Yes, there are two values here, so obviously this is right.

Best regards,
Krzysztof

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ