Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932133AbdGNMMe (ORCPT <rfc822;w@1wt.eu>);
        Fri, 14 Jul 2017 08:12:34 -0400
Received: from mout.kundenserver.de ([212.227.17.13]:52163 "EHLO
        mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753577AbdGNMMa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Jul 2017 08:12:30 -0400
From: Arnd Bergmann <arnd@arndb.de>
To: linux-kernel@vger.kernel.org, Henrik Rydberg <rydberg@bitmath.org>,
        Jean Delvare <jdelvare@suse.com>, Guenter Roeck <linux@roeck-us.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        akpm@linux-foundation.org, netdev@vger.kernel.org,
        "David S . Miller" <davem@davemloft.net>,
        "James E . J . Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K . Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, x86@kernel.org,
        Arnd Bergmann <arnd@arndb.de>, linux-hwmon@vger.kernel.org
Subject: [PATCH 15/22] hwmon: applesmc: fix format string overflow
Date: Fri, 14 Jul 2017 14:07:07 +0200
Message-Id: <20170714120720.906842-16-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20170714120720.906842-1-arnd@arndb.de>
References: <20170714120720.906842-1-arnd@arndb.de>
X-Provags-ID: V03:K0:EVXxi8Zcg44DGLm90NBmJx+6uvH9r38SU5y2VcZGqs49u2RA/tf
 eIlhqCGffZNYfX1/j1qJuqmX62baOD/34u30oyYebqM06MNayQ1JOxdHXXxg0EyYJLNnbo3
 pmxhBkLX+GMX3faGLNuLobXDEvg8x6jsIxad0kJZs1McPdk267KGJbT2ediXlZM7YFf7HS4
 vLizQGCpdMNns/0sFawxg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:sP0UG4dlMQE=:akFpSTCBf8Zvk1xK3jYi+l
 /o3D8jhjGvcq/4C4qbUo4tJOn9nKfbYm+mWY+Xq1i8KFvT9/jjk12I+4vT0yzvl5BjSmjmMtn
 wu+0WL6Ipid15zCitDnlu97YD4C31KhBaiFIzuSlJKChIpS6oOFTEy2p7zCT8mIOKjGZXM5JT
 gPFQKscGpCoVSAiB4qpexuIvoLNvD3VblzxrrBT9I2ThL+1SrCho6vCxMTadwAWlReDvwTYtA
 G1Iiz1vCr0Q8j0QRM26Nh4yJM0fDsPNYJtKgV2LFSEczS6SO7/l0KAIyzMDUxLpNy6H9Gv4Km
 PNbe95gWtd6vpVNy+Pr7UGepT/367QPSLEmPP5E1jzDB7f6w5dlUBGyvqhHnBwszO2y61/i8r
 P5MfzU7q2fgM+tRBS1wVIOA/UEZu0BnNZQXZP+EkEKxOFkd9pRe+dzHTMbB79SZRhTJ7sWkCl
 pvnsYfu2WJihG4dnhjEwyRsWBg/edm+BmekLvptlZKwDw5ENzjmz7VnRwNpwowUUsmRGXEBjv
 c012BP9ujV3+lpptOEZWo11MCqnpimsrE/EsnDigxlkPL406db9TYePqxK4pNpn36Qok3fGC6
 HQo4ElkZsMaEykbuMJTQ1qgqDwkOdIIwAJqJCiT2pUSb6MOAAmdR62tQ5sqXnoYkMu5n8y2oI
 y09CZoBuiKKHbYM2jTfSSn4HYzh1WMa0IeALK6QWl+rNJumDN6VK8lUNLOURF1qVKFz8zL7KQ
 +Y0IbQxerhLPETmRCG3EmeKac0tXFAhV2hfjdw==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1348
Lines: 35

gcc-7 warns that the key might exceed five bytes for lage index
values:

drivers/hwmon/applesmc.c: In function 'applesmc_show_fan_position':
drivers/hwmon/applesmc.c:906:18: error: '%d' directive writing between 1 and 5 bytes into a region of size 4 [-Werror=format-overflow=]
sprintf(newkey, FAN_ID_FMT, to_index(attr));
                ^~~~~~~
drivers/hwmon/applesmc.c:906:18: note: directive argument in the range [0, 65535]
drivers/hwmon/applesmc.c:906:2: note: 'sprintf' output between 5 and 9 bytes into a destination of size 5

As the key is required to be four characters plus trailing zero,
we know that the index has to be small here. I'm using snprintf()
to avoid the warning. This would truncate the string instead of
overflowing.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/hwmon/applesmc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
index 0af7fd311979..515163b9a89f 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
@@ -903,7 +903,7 @@ static ssize_t applesmc_show_fan_position(struct device *dev,
 	char newkey[5];
 	u8 buffer[17];
 
-	sprintf(newkey, FAN_ID_FMT, to_index(attr));
+	snprintf(newkey, sizeof(newkey), FAN_ID_FMT, to_index(attr));
 
 	ret = applesmc_read_key(newkey, buffer, 16);
 	buffer[16] = 0;
-- 
2.9.0