From patchwork Tue Oct  9 05:54:04 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Len Brown <lenb@kernel.org>
X-Patchwork-Id: 1568611
Return-Path: <linux-acpi-owner@vger.kernel.org>
X-Original-To: patchwork-linux-acpi@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork1.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork1.kernel.org (Postfix) with ESMTP id A94703FE80
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Tue,  9 Oct 2012 06:09:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752363Ab2JIGJU (ORCPT
	<rfc822;patchwork-linux-acpi@patchwork.kernel.org>);
	Tue, 9 Oct 2012 02:09:20 -0400
Received: from mail-qc0-f174.google.com ([209.85.216.174]:38957 "EHLO
	mail-qc0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752853Ab2JIGDD (ORCPT
	<rfc822; linux-acpi@vger.kernel.org>); Tue, 9 Oct 2012 02:03:03 -0400
Received: by mail-qc0-f174.google.com with SMTP id d3so3587711qch.19
	for <multiple recipients>; Mon, 08 Oct 2012 23:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
	:references:in-reply-to:references:reply-to:organization;
	bh=tJ9BJYNCrLKGza7WGGUAz8PZx0BOCD29/K+6ODciQz0=;
	b=kF2OOqqnHRz5GuFHbqX4jXNjR5A+rRr2E3hEnTrblnTkyZp0tvtvoXs5ICbOV0iGyU
	YzhZAEwQy7Jxop0Vfx9dSF1PuLEEGtzrb41IIw7SlLc7WDv9miLedpvvv+l7h7MEXtUJ
	moKtCwRyDEzzMCJArSeeYeUg/s/vdEhP3aNCKdIz32RZWRd7BP6rXJZefrKjVuqItKw6
	4FqXa3a1I+Q51eAvHdrW+VMnm9PMD/asp3p0rv4Q+rF3kSrrrbuqrzj8bwC1mCYkORy9
	DZ2JhlRha75JeuKAoFk/POVColGfWS9TqD3wE/0SB492F9BOnpibbbAEH8jdptulPO5J
	kNFQ==
Received: by 10.224.209.8 with SMTP id ge8mr33299499qab.0.1349762582699;
	Mon, 08 Oct 2012 23:03:02 -0700 (PDT)
Received: from x980.localdomain6
	(pool-74-104-146-186.bstnma.fios.verizon.net. [74.104.146.186])
	by mx.google.com with ESMTPS id
	ck11sm20206037qab.17.2012.10.08.23.03.01
	(version=SSLv3 cipher=OTHER); Mon, 08 Oct 2012 23:03:02 -0700 (PDT)
From: Len Brown <lenb@kernel.org>
To: linux-acpi@vger.kernel.org, linux-pm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Guenter Roeck <linux@roeck-us.net>,
	"Brown, Len" <len.brown@intel.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Zhang Rui <rui.zhang@intel.com>
Subject: [PATCH 14/30] thermal: fix potential out-of-bounds memory access
Date: Tue,  9 Oct 2012 01:54:04 -0400
Message-Id: 
 <79a49168b595f5400ed3108cd57e90f5bbe144ca.1349761836.git.len.brown@intel.com>
X-Mailer: git-send-email 1.8.0.rc1
In-Reply-To: <1349762060-25334-1-git-send-email-lenb@kernel.org>
References: <1349762060-25334-1-git-send-email-lenb@kernel.org>
In-Reply-To: 
 <e3f25e6e5836c4790fbe395ff42e241f372d859d.1349761836.git.len.brown@intel.com>
References: 
 <e3f25e6e5836c4790fbe395ff42e241f372d859d.1349761836.git.len.brown@intel.com>
Reply-To: Len Brown <lenb@kernel.org>
Organization: Intel Open Source Technology Center
Sender: linux-acpi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-acpi.vger.kernel.org>
X-Mailing-List: linux-acpi@vger.kernel.org

From: Guenter Roeck <linux@roeck-us.net>

temp_crit.name and temp_input.name have a length of 16 bytes.  Using
THERMAL_NAME_LENGTH (20) as length parameter for snprintf() may result in
out-of-bounds memory accesses.  Replace it with sizeof().

Addresses Coverity #115679

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: Len Brown <lenb@kernel.org>
Cc: "Brown, Len" <len.brown@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
---
 drivers/thermal/thermal_sys.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/thermal/thermal_sys.c b/drivers/thermal/thermal_sys.c
index 5be8728..36e6f4d 100644
--- a/drivers/thermal/thermal_sys.c
+++ b/drivers/thermal/thermal_sys.c
@@ -598,7 +598,7 @@ thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
 	temp->tz = tz;
 	hwmon->count++;
 
-	snprintf(temp->temp_input.name, THERMAL_NAME_LENGTH,
+	snprintf(temp->temp_input.name, sizeof(temp->temp_input.name),
 		 "temp%d_input", hwmon->count);
 	temp->temp_input.attr.attr.name = temp->temp_input.name;
 	temp->temp_input.attr.attr.mode = 0444;
@@ -611,7 +611,8 @@ thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
 	if (tz->ops->get_crit_temp) {
 		unsigned long temperature;
 		if (!tz->ops->get_crit_temp(tz, &temperature)) {
-			snprintf(temp->temp_crit.name, THERMAL_NAME_LENGTH,
+			snprintf(temp->temp_crit.name,
+				 sizeof(temp->temp_crit.name),
 				"temp%d_crit", hwmon->count);
 			temp->temp_crit.attr.attr.name = temp->temp_crit.name;
 			temp->temp_crit.attr.attr.mode = 0444;