Patch "thermal: core: prevent potential string overflow" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 Nov 2023 14:49:44 -0500

This is a note to let you know that I've just added the patch titled

    thermal: core: prevent potential string overflow

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     thermal-core-prevent-potential-string-overflow.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cc87d6105f73eaf42318e675337567940d7975b6
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Sat Oct 7 11:59:39 2023 +0300

    thermal: core: prevent potential string overflow
    
    [ Upstream commit c99626092efca3061b387043d4a7399bf75fbdd5 ]
    
    The dev->id value comes from ida_alloc() so it's a number between zero
    and INT_MAX.  If it's too high then these sprintf()s will overflow.
    
    Fixes: 203d3d4aa482 ("the generic thermal sysfs driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 6c7825c581b5f..efed0736546dd 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -734,7 +734,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
 	if (result)
 		goto release_ida;
 
-	sprintf(dev->attr_name, "cdev%d_trip_point", dev->id);
+	snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point",
+		 dev->id);
 	sysfs_attr_init(&dev->attr.attr);
 	dev->attr.attr.name = dev->attr_name;
 	dev->attr.attr.mode = 0444;
@@ -743,7 +744,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
 	if (result)
 		goto remove_symbol_link;
 
-	sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id);
+	snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name),
+		 "cdev%d_weight", dev->id);
 	sysfs_attr_init(&dev->weight_attr.attr);
 	dev->weight_attr.attr.name = dev->weight_attr_name;
 	dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO;






