Re: [PATCH v2] w1: therm: Fix off-by-one buffer overflow in alarms_store

Next message: Danilo Krummrich: "Re: [PATCH v2 1/8] rust: fs: add file::Offset type alias"
Previous message: Yonghong Song: "Re: [syzbot] [bpf?] WARNING in bpf_bprintf_prepare (3)"
In reply to: Thorsten Blum: "[PATCH v2] w1: therm: Fix off-by-one buffer overflow in alarms_store"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Thorsten Blum

Date: Wed Oct 29 2025 - 11:26:34 EST

On 29. Oct 2025, at 14:00, Thorsten Blum wrote:
> The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
> bytes and a NUL terminator is appended. However, the 'size' argument
> does not account for this extra byte. The original code then allocated
> 'size' bytes and used strcpy() to copy 'buf', which always writes one
> byte past the allocated buffer since strcpy() copies until the NUL
> terminator at index 'size'.
>
> Fix this by parsing the 'buf' parameter directly using simple_strtol()
> without allocating any intermediate memory or string copying. This
> removes the overflow while simplifying the code.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
> Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
> ---

I should still add overflow detection to simple_strtol() to match the
behavior of kstrtoint(), but please let me know what you think of the
current version first.

Thanks,
Thorsten