On Sat, Oct 7, 2023 at 10:59 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> The dev->id value comes from ida_alloc() so it's a number between zero
> and INT_MAX. If it's too high then these sprintf()s will overflow.
>
> Fixes: 203d3d4aa482 ("the generic thermal sysfs driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/thermal/thermal_core.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
> index 45d0aa0b69b7..61f0b5a3b00c 100644
> --- a/drivers/thermal/thermal_core.c
> +++ b/drivers/thermal/thermal_core.c
> @@ -681,7 +681,8 @@ int thermal_bind_cdev_to_trip(struct thermal_zone_device *tz,
> if (result)
> goto release_ida;
>
> - sprintf(dev->attr_name, "cdev%d_trip_point", dev->id);
> + snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point",
> + dev->id);
> sysfs_attr_init(&dev->attr.attr);
> dev->attr.attr.name = dev->attr_name;
> dev->attr.attr.mode = 0444;
> @@ -690,7 +691,8 @@ int thermal_bind_cdev_to_trip(struct thermal_zone_device *tz,
> if (result)
> goto remove_symbol_link;
>
> - sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id);
> + snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name),
> + "cdev%d_weight", dev->id);
> sysfs_attr_init(&dev->weight_attr.attr);
> dev->weight_attr.attr.name = dev->weight_attr_name;
> dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO;
> --
Applied as 6.7 material, thanks!
