From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Thu, 6 Jun 2024 13:12:11 +0000 (+0300)
Subject: hwmon: (cros_ec) Prevent read overflow in probe()
X-Git-Tag: v6.11-rc1~215^2~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f72dd046270ff44e5fd43045c4d0bb025f88607;p=thirdparty%2Fkernel%2Flinux.git

hwmon: (cros_ec) Prevent read overflow in probe()

The "resp.sensor_name" comes from cros_ec_cmd() and it hasn't necessarily
been NUL terminated.  We had not intended to read past "sensor_name_size"
bytes, however, there is a width vs precision bug in the format string.
The format needs to be precision '%.*s' instead of width '%*s'.
Precision prevents an out of bounds read, but width is a no-op.

Fixes: bc3e45258096 ("hwmon: add ChromeOS EC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/42331b70-bd3c-496c-8c79-3ec4faad40b8@moroto.mountain
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
---

diff --git a/drivers/hwmon/cros_ec_hwmon.c b/drivers/hwmon/cros_ec_hwmon.c
index 41f268fa82609..b3ba7247e06b2 100644
--- a/drivers/hwmon/cros_ec_hwmon.c
+++ b/drivers/hwmon/cros_ec_hwmon.c
@@ -212,7 +212,7 @@ static void cros_ec_hwmon_probe_temp_sensors(struct device *dev, struct cros_ec_
 			continue;
 
 		sensor_name_size = strnlen(resp.sensor_name, sizeof(resp.sensor_name));
-		priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%*s",
+		priv->temp_sensor_names[i] = devm_kasprintf(dev, GFP_KERNEL, "%.*s",
 							    (int)sensor_name_size,
 							    resp.sensor_name);
 	}