hwmon: (cros_ec) Prevent read overflow in probe()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
been NUL terminated. We had not intended to read past "sensor_name_size"
bytes, however, there is a width vs precision bug in the format string.
The format needs to be precision '%.*s' instead of width '%*s'.
Precision prevents an out of bounds read, but width is a no-op.

Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/42331b70-bd3c-496c-8c79-3ec4faad40b8@moroto.mountain
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>

authored by

Dan Carpenter and committed by

Tzung-Bi Shih 2 years ago 1f72dd04 04ca0a51

+1 -1

1 changed file

expand all

drivers

hwmon

cros_ec_hwmon.c

+1 -1

drivers/hwmon/cros_ec_hwmon.c

··· 212 212 continue; 213 213 214 214 sensor_name_size = strnlen(resp.sensor_name, sizeof(resp.sensor_name)); 215 - priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%*s", 215 + priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%.*s", 216 216 (int)sensor_name_size, 217 217 resp.sensor_name); 218 218 }