Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3729986pxb; Mon, 4 Oct 2021 08:24:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyP6cwohGXMW15XS6X6Wo2bw/znHOCiyZqocCLGWYeJ1AsRQMyg/2x1cGzjZ+HuqYfGDI5t X-Received: by 2002:a17:903:120e:b0:138:d732:3b01 with SMTP id l14-20020a170903120e00b00138d7323b01mr255161plh.21.1633361057292; Mon, 04 Oct 2021 08:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633361057; cv=none; d=google.com; s=arc-20160816; b=zKCBBhXuMk4cCIithd4xrFZSb02VBtgr2rx+Q4i3MVH6qjv7SSZe7NzIxd+LBv0Meb /hmqwla80vbnXsj7+GiiNgoJeWNy4DMj2DyyTp/STe+idtXkuh0qI0WC1KDj0bLird/W 4g0nGKkn1zkkIWqYpgJ1wokcxFMKc7GFA/ajf9Paat/Mi9C4OBeN3DfmEr4vI2DvQU53 l/+z99TE0KOBSx1HSFWfg/siS8pDgaC6z9xGH1GOkP+7xdvj0081R9ZrB1cKar+aVbZF S9INjDBYYFLH+zenpIt8BOwUKgZwYgRTPNbEd3148cCc3ZVjY+UcTpoVu63LZGBnfWDT owwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=m6wtkbSfJp1sr7zdTzX5In5ZsuBUGPgiJmAN4yp/9mQ=; b=F7DifQHqddikHTxOdJRaI/fBOuBIR7OU5zNn74YJFADmDigCO/OS8T3SLMrTVh+9He pgfzgoUvMZ6+j387XPXVlXlyEMszhokbWkkw6ZbyGpaNDC4nYxpenEJjn507Z868/9MP DwnQ5i0iK/ZNSFzMtz+YipJPIpSXVh+pMjFlozTi1O96/l2ochLqYmsbQXmZVBzPJtxG HAtLZrds5jGKeNyrdvtb+3k9QwZw1WCT5OnBsLLDMYtvqAtx/tWdQFWNYKj+ypqlE8aD NaJpxU8mx9nPp166RaNc2eyW0rMl9xUXo7NmSJ4dYk4KyQRsKwNMGEvFdEd5MgY223qH 8g+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fGdw1VRa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q18si1759660pjp.61.2021.10.04.08.23.50; Mon, 04 Oct 2021 08:24:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fGdw1VRa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233972AbhJDNMq (ORCPT + 99 others); Mon, 4 Oct 2021 09:12:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:45454 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235494AbhJDNKX (ORCPT ); Mon, 4 Oct 2021 09:10:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id EAB4061B4D; Mon, 4 Oct 2021 13:03:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633352631; bh=AxFF/DU4/SruWEIxK2y7bmO1CamUlBFyWrvZK9QzI+I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fGdw1VRaqVvpKUbKkY+BU7g8hMgGnFJWQ41aG6ASppC2pcA5aotOcKxsBJnj3L7pv 3qsiLZCqE7mQan6GhywBaK5Ifprw4MXrcw4GxH+M2T1TZdiyc2Dv8pgrXLVGGmZ/Ey tz9guBV5Zqid1+znoTgPQuVLATUttR6pxnnU2ezU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Daniel Lezcano , Sasha Levin Subject: [PATCH 4.19 28/95] thermal/core: Potential buffer overflow in thermal_build_list_of_policies() Date: Mon, 4 Oct 2021 14:51:58 +0200 Message-Id: <20211004125034.482989824@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211004125033.572932188@linuxfoundation.org> References: <20211004125033.572932188@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ] After printing the list of thermal governors, then this function prints a newline character. The problem is that "size" has not been updated after printing the last governor. This means that it can write one character (the NUL terminator) beyond the end of the buffer. Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210916131342.GB25094@kili Signed-off-by: Sasha Levin --- drivers/thermal/thermal_core.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index a24296d68f3e..ae60599c462b 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -228,15 +228,14 @@ int thermal_build_list_of_policies(char *buf) { struct thermal_governor *pos; ssize_t count = 0; - ssize_t size = PAGE_SIZE; mutex_lock(&thermal_governor_lock); list_for_each_entry(pos, &thermal_governor_list, governor_list) { - size = PAGE_SIZE - count; - count += scnprintf(buf + count, size, "%s ", pos->name); + count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", + pos->name); } - count += scnprintf(buf + count, size, "\n"); + count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); mutex_unlock(&thermal_governor_lock); -- 2.33.0