[PATCH 1/3] thermal: testing: Avoid NULL pointer dereference on missing arg

Next message: Ovidiu Panait: "[PATCH 2/3] thermal: testing: Replace sscanf() with kstrtoint()"
Previous message: Dmitry Torokhov: "Re: [PATCH v2 4/4] dt-bindings: input: remove obsolete matrix-keymap.txt"
Next in thread: Ovidiu Panait: "[PATCH 2/3] thermal: testing: Replace sscanf() with kstrtoint()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ovidiu Panait

Date: Sat Jun 06 2026 - 17:05:19 EST

Commands such as deltz expect an argument after the ":" separator.
When the separator is missing, arg gets set to NULL, which is fed
directly to sscanf(). This causes a NULL ptr dereference:

$ echo deltz > /sys/kernel/debug/thermal-testing/command
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
sscanf+0x57/0x80
tt_del_tz+0x39/0x1e0
tt_command_write+0x115/0x140
full_proxy_write+0x5d/0x90
vfs_write+0xd2/0x480
? srso_alias_return_thunk+0x5/0xfbef5
? count_memcg_events+0x8b/0x1a0
? srso_alias_return_thunk+0x5/0xfbef5
ksys_write+0x75/0xf0
__x64_sys_write+0x1d/0x30
x64_sys_call+0x223/0x1dd0
do_syscall_64+0x97/0x4b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

To fix this, make arg an empty string instead of leaving it NULL when the
separator is missing. sscanf() then fails correctly with -EINVAL on it.

Fixes: f6a034f2df42 ("thermal: Introduce a debugfs-based testing facility")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@xxxxxxxxx>
---
drivers/thermal/testing/command.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/thermal/testing/command.c b/drivers/thermal/testing/command.c
index 1159ecea57e7..5513a26feed7 100644
--- a/drivers/thermal/testing/command.c
+++ b/drivers/thermal/testing/command.c
@@ -150,6 +150,8 @@ static ssize_t tt_command_process(char *s)
if (arg) {
*arg = '\0';
arg++;
+ } else {
+ arg = s + strlen(s);
}

for (i = 0; i < ARRAY_SIZE(tt_command_strings); i++) {
--
2.53.0