lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ad221cac-0b1c-41f0-9fd9-b2717de3ea06@kernel.org>
Date: Thu, 18 Dec 2025 17:00:55 +0100
From: Krzysztof Kozlowski <krzk@...nel.org>
To: Thorsten Blum <thorsten.blum@...ux.dev>,
 David Laight <david.laight.linux@...il.com>,
 Huisong Li <lihuisong@...wei.com>, Akira Shimahara <akira215corp@...il.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: stable@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5] w1: therm: Fix off-by-one buffer overflow in
 alarms_store

On 16/12/2025 15:50, Thorsten Blum wrote:
> The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
> bytes and a NUL terminator is appended. However, the 'size' argument
> does not account for this extra byte. The original code then allocated
> 'size' bytes and used strcpy() to copy 'buf', which always writes one
> byte past the allocated buffer since strcpy() copies until the NUL
> terminator at index 'size'.
> 
> Fix this by parsing the 'buf' parameter directly using simple_strtoll()
> without allocating any intermediate memory or string copying. This
> removes the overflow while simplifying the code.
> 
> Cc: stable@...r.kernel.org
> Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
> Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
> ---
> Compile-tested only.
> 
> Changes in v5:
> - Replace gotos with return size (Krzysztof)
> - Link to v4: https://lore.kernel.org/lkml/20251111204422.41993-2-thorsten.blum@linux.dev/
> 
> Changes in v4:
> - Use simple_strtoll because kstrtoint also parses long long internally
> - Return -ERANGE in addition to -EINVAL to match kstrtoint's behavior
> - Remove any changes unrelated to fixing the buffer overflow (Krzysztof)
>   while maintaining the same behavior and return values as before
> - Link to v3: https://lore.kernel.org/lkml/20251030155614.447905-1-thorsten.blum@linux.dev/
> 
> Changes in v3:
> - Add integer range check for 'temp' to match kstrtoint() behavior
> - Explicitly cast 'temp' to int when calling int_to_short()
> - Link to v2: https://lore.kernel.org/lkml/20251029130045.70127-2-thorsten.blum@linux.dev/
> 
> Changes in v2:
> - Fix buffer overflow instead of truncating the copy using strscpy()
> - Parse buffer directly using simple_strtol() as suggested by David
> - Update patch subject and description
> - Link to v1: https://lore.kernel.org/lkml/20251017170047.114224-2-thorsten.blum@linux.dev/
> ---
>  drivers/w1/slaves/w1_therm.c | 63 ++++++++++++------------------------
>  1 file changed, 20 insertions(+), 43 deletions(-)
> 
> diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c
> index 9ccedb3264fb..5c4e40883400 100644
> --- a/drivers/w1/slaves/w1_therm.c
> +++ b/drivers/w1/slaves/w1_therm.c
> @@ -1836,55 +1836,36 @@ static ssize_t alarms_store(struct device *device,
>  	struct w1_slave *sl = dev_to_w1_slave(device);
>  	struct therm_info info;
>  	u8 new_config_register[3];	/* array of data to be written */
> -	int temp, ret;
> -	char *token = NULL;
> +	long long temp;
> +	int ret = 0;
>  	s8 tl, th;	/* 1 byte per value + temp ring order */
> -	char *p_args, *orig;
> -
> -	p_args = orig = kmalloc(size, GFP_KERNEL);
> -	/* Safe string copys as buf is const */
> -	if (!p_args) {
> -		dev_warn(device,
> -			"%s: error unable to allocate memory %d\n",
> -			__func__, -ENOMEM);
> -		return size;
> -	}
> -	strcpy(p_args, buf);
> -
> -	/* Split string using space char */
> -	token = strsep(&p_args, " ");
> -
> -	if (!token)	{
> -		dev_info(device,
> -			"%s: error parsing args %d\n", __func__, -EINVAL);
> -		goto free_m;
> -	}
> -
> -	/* Convert 1st entry to int */
> -	ret = kstrtoint (token, 10, &temp);
> +	const char *p = buf;
> +	char *endp;
> +
> +	temp = simple_strtoll(p, &endp, 10);
> +	if (p == endp || *endp != ' ')
> +		ret = -EINVAL;
> +	else if (temp < INT_MIN || temp > INT_MAX)
> +		ret = -ERANGE;
>  	if (ret) {
>  		dev_info(device,
>  			"%s: error parsing args %d\n", __func__, ret);
> -		goto free_m;
> +		return size;
>  	}
>  
>  	tl = int_to_short(temp);
>  
> -	/* Split string using space char */
> -	token = strsep(&p_args, " ");
> -	if (!token)	{
> -		dev_info(device,
> -			"%s: error parsing args %d\n", __func__, -EINVAL);
> -		goto free_m;
> -	}
> -	/* Convert 2nd entry to int */
> -	ret = kstrtoint (token, 10, &temp);
> +	p = endp + 1;
> +	temp = simple_strtoll(p, &endp, 10);
> +	if (p == endp)
> +		ret = -EINVAL;
> +	else if (temp < INT_MIN || temp > INT_MAX)
> +		ret = -ERANGE;
>  	if (ret) {
>  		dev_info(device,
>  			"%s: error parsing args %d\n", __func__, ret);
> -		goto free_m;
> +		return size;
>  	}
> -

That's another unusual change appearing in v5. Please pay attention to
differences you introduce between versions, so to what you exactly do.

>  	/* Prepare to cast to short by eliminating out of range values */
>  	th = int_to_short(temp);
>  
> @@ -1905,7 +1886,7 @@ static ssize_t alarms_store(struct device *device,
>  		dev_info(device,
>  			"%s: error reading from the slave device %d\n",
>  			__func__, ret);
> -		goto free_m;


Best regards,
Krzysztof

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ