Re: [PATCH] hwmon: (cros_ec) Prevent read overflow in probe()

From: Guenter Roeck
Date: Thu Jun 06 2024 - 10:06:13 EST


On 6/6/24 06:12, Dan Carpenter wrote:
The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
been NUL terminated. We had not intended to read past "sensor_name_size"
bytes, however, there is a width vs precision bug in the format string.
The format needs to be precision '%.*s' instead of width '%*s'.
Precision prevents an out of bounds read, but width is a no-op.

Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Reviewed-by: Guenter Roeck <linux@xxxxxxxxxxxx>

---
drivers/hwmon/cros_ec_hwmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwmon/cros_ec_hwmon.c b/drivers/hwmon/cros_ec_hwmon.c
index 41f268fa8260..b3ba7247e06b 100644
--- a/drivers/hwmon/cros_ec_hwmon.c
+++ b/drivers/hwmon/cros_ec_hwmon.c
@@ -212,7 +212,7 @@ static void cros_ec_hwmon_probe_temp_sensors(struct device *dev, struct cros_ec_
continue;
sensor_name_size = strnlen(resp.sensor_name, sizeof(resp.sensor_name));
- priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%*s",
+ priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%.*s",
(int)sensor_name_size,
resp.sensor_name);
}