| Message ID | 20210916131342.GB25094@kili |
|---|---|
| State | Accepted |
| Commit | 1bb30b20b49773369c299d4d6c65227201328663 |
| Headers | show |
| Series | thermal/core: Potential buffer overflow in thermal_build_list_of_policies() | expand |
On 16/09/2021 15:13, Dan Carpenter wrote: > After printing the list of thermal governors, then this function prints > a newline character. The problem is that "size" has not been updated > after printing the last governor. This means that it can write one > character (the NUL terminator) beyond the end of the buffer. > > Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. > > Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- Applied, thanks > drivers/thermal/thermal_core.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c > index 97ef9b040b84..51374f4e1cca 100644 > --- a/drivers/thermal/thermal_core.c > +++ b/drivers/thermal/thermal_core.c > @@ -222,15 +222,14 @@ int thermal_build_list_of_policies(char *buf) > { > struct thermal_governor *pos; > ssize_t count = 0; > - ssize_t size = PAGE_SIZE; > > mutex_lock(&thermal_governor_lock); > > list_for_each_entry(pos, &thermal_governor_list, governor_list) { > - size = PAGE_SIZE - count; > - count += scnprintf(buf + count, size, "%s ", pos->name); > + count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", > + pos->name); > } > - count += scnprintf(buf + count, size, "\n"); > + count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); > > mutex_unlock(&thermal_governor_lock); > > -- <http://www.linaro.org/> Linaro.org │ Open source software for ARM SoCs Follow Linaro: <http://www.facebook.com/pages/Linaro> Facebook | <http://twitter.com/#!/linaroorg> Twitter | <http://www.linaro.org/linaro-blog/> Blog
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 97ef9b040b84..51374f4e1cca 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -222,15 +222,14 @@ int thermal_build_list_of_policies(char *buf) { struct thermal_governor *pos; ssize_t count = 0; - ssize_t size = PAGE_SIZE; mutex_lock(&thermal_governor_lock); list_for_each_entry(pos, &thermal_governor_list, governor_list) { - size = PAGE_SIZE - count; - count += scnprintf(buf + count, size, "%s ", pos->name); + count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", + pos->name); } - count += scnprintf(buf + count, size, "\n"); + count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); mutex_unlock(&thermal_governor_lock);
After printing the list of thermal governors, then this function prints a newline character. The problem is that "size" has not been updated after printing the last governor. This means that it can write one character (the NUL terminator) beyond the end of the buffer. Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/thermal/thermal_core.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)