hwmon: (cros_ec) Prevent read overflow in probe()

Message ID	42331b70-bd3c-496c-8c79-3ec4faad40b8@moroto.mountain (mailing list archive)
State	Accepted
Commit	1f72dd046270ff44e5fd43045c4d0bb025f88607
Headers	show Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9019C195F0A for <chrome-platform@lists.linux.dev>; Thu, 6 Jun 2024 13:12:17 +0000 (UTC) Date: Thu, 6 Jun 2024 16:12:11 +0300 From: Dan Carpenter <dan.carpenter@linaro.org> To: Thomas =?iso-8859-1?q?Wei=DFschuh?= <linux@weissschuh.net> Cc: Thomas =?iso-8859-1?q?Wei=DFschuh?= <thomas@weissschuh.net>, Jean Delvare <jdelvare@suse.com>, Guenter Roeck <linux@roeck-us.net>, Benson Leung <bleung@chromium.org>, Tzung-Bi Shih <tzungbi@kernel.org>, chrome-platform@lists.linux.dev, linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] hwmon: (cros_ec) Prevent read overflow in probe() Message-ID: <42331b70-bd3c-496c-8c79-3ec4faad40b8@moroto.mountain> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
Series	hwmon: (cros_ec) Prevent read overflow in probe() \| expand hwmon: (cros_ec) Prevent read overflow in probe()

Message ID

42331b70-bd3c-496c-8c79-3ec4faad40b8@moroto.mountain (mailing list archive)

State

Accepted

Commit

1f72dd046270ff44e5fd43045c4d0bb025f88607

Headers

Date: Thu, 6 Jun 2024 16:12:11 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Thomas =?iso-8859-1?q?Wei=DFschuh?= <linux@weissschuh.net>
Cc: Thomas =?iso-8859-1?q?Wei=DFschuh?= <thomas@weissschuh.net>,
 Jean Delvare <jdelvare@suse.com>, Guenter Roeck <linux@roeck-us.net>,
 Benson Leung <bleung@chromium.org>, Tzung-Bi Shih <tzungbi@kernel.org>,
 chrome-platform@lists.linux.dev, linux-hwmon@vger.kernel.org,
 linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] hwmon: (cros_ec) Prevent read overflow in probe()
Message-ID: <42331b70-bd3c-496c-8c79-3ec4faad40b8@moroto.mountain>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Series

hwmon: (cros_ec) Prevent read overflow in probe() | expand

Commit Message

Dan Carpenter June 6, 2024, 1:12 p.m. UTC

The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
been NUL terminated.  We had not intended to read past "sensor_name_size"
bytes, however, there is a width vs precision bug in the format string.
The format needs to be precision '%.*s' instead of width '%*s'.
Precision prevents an out of bounds read, but width is a no-op.

Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/hwmon/cros_ec_hwmon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Guenter Roeck June 6, 2024, 2:05 p.m. UTC | #1

On 6/6/24 06:12, Dan Carpenter wrote:
> The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
> been NUL terminated.  We had not intended to read past "sensor_name_size"
> bytes, however, there is a width vs precision bug in the format string.
> The format needs to be precision '%.*s' instead of width '%*s'.
> Precision prevents an out of bounds read, but width is a no-op.
> 
> Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Reviewed-by: Guenter Roeck <linux@roeck-us.net>

> ---
>   drivers/hwmon/cros_ec_hwmon.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/hwmon/cros_ec_hwmon.c b/drivers/hwmon/cros_ec_hwmon.c
> index 41f268fa8260..b3ba7247e06b 100644
> --- a/drivers/hwmon/cros_ec_hwmon.c
> +++ b/drivers/hwmon/cros_ec_hwmon.c
> @@ -212,7 +212,7 @@ static void cros_ec_hwmon_probe_temp_sensors(struct device *dev, struct cros_ec_
>   			continue;
>   
>   		sensor_name_size = strnlen(resp.sensor_name, sizeof(resp.sensor_name));
> -		priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%*s",
> +		priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%.*s",
>   							    (int)sensor_name_size,
>   							    resp.sensor_name);
>   	}

Thomas Weißschuh June 6, 2024, 2:30 p.m. UTC | #2

Thanks!

On 2024-06-06 16:12:11+0000, Dan Carpenter wrote:
> The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
> been NUL terminated.  We had not intended to read past "sensor_name_size"
> bytes, however, there is a width vs precision bug in the format string.
> The format needs to be precision '%.*s' instead of width '%*s'.
> Precision prevents an out of bounds read, but width is a no-op.
> 
> Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Acked-by: Thomas Weißschuh <linux@weissschuh.net>

devm_kstrndup() would have been nice.


Thomas

patchwork-bot+chrome-platform@kernel.org June 7, 2024, 10:10 a.m. UTC | #3

Hello:

This patch was applied to chrome-platform/linux.git (for-kernelci)
by Tzung-Bi Shih <tzungbi@kernel.org>:

On Thu, 6 Jun 2024 16:12:11 +0300 you wrote:
> The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
> been NUL terminated.  We had not intended to read past "sensor_name_size"
> bytes, however, there is a width vs precision bug in the format string.
> The format needs to be precision '%.*s' instead of width '%*s'.
> Precision prevents an out of bounds read, but width is a no-op.
> 
> Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> 
> [...]

Here is the summary with links:
  - hwmon: (cros_ec) Prevent read overflow in probe()
    https://git.kernel.org/chrome-platform/c/1f72dd046270

You are awesome, thank you!

patchwork-bot+chrome-platform@kernel.org June 7, 2024, 10:10 a.m. UTC | #4

Hello:

This patch was applied to chrome-platform/linux.git (for-next)
by Tzung-Bi Shih <tzungbi@kernel.org>:

On Thu, 6 Jun 2024 16:12:11 +0300 you wrote:
> The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
> been NUL terminated.  We had not intended to read past "sensor_name_size"
> bytes, however, there is a width vs precision bug in the format string.
> The format needs to be precision '%.*s' instead of width '%*s'.
> Precision prevents an out of bounds read, but width is a no-op.
> 
> Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> 
> [...]

Here is the summary with links:
  - hwmon: (cros_ec) Prevent read overflow in probe()
    https://git.kernel.org/chrome-platform/c/1f72dd046270

You are awesome, thank you!

diff --git a/drivers/hwmon/cros_ec_hwmon.c b/drivers/hwmon/cros_ec_hwmon.c
index 41f268fa8260..b3ba7247e06b 100644
--- a/drivers/hwmon/cros_ec_hwmon.c
+++ b/drivers/hwmon/cros_ec_hwmon.c
@@ -212,7 +212,7 @@  static void cros_ec_hwmon_probe_temp_sensors(struct device *dev, struct cros_ec_
 			continue;
 
 		sensor_name_size = strnlen(resp.sensor_name, sizeof(resp.sensor_name));
-		priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%*s",
+		priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%.*s",
 							    (int)sensor_name_size,
 							    resp.sensor_name);
 	}

hwmon: (cros_ec) Prevent read overflow in probe()

Commit Message

Comments

Patch