git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Thorsten Blum <thorsten.blum@linux.dev>
	Tue, 16 Dec 2025 14:50:03 +0000 (15:50 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 30 Jan 2026 09:27:34 +0000 (10:27 +0100)
commit	6a5820ecfa5a76c3d3e154802c8c15f391ef442e
tree	5e27b066c7bd50ec12bb292f22b6178cba6eb451	tree \| snapshot
parent	aaff8f3a35c9d7e8f3241ae08e6d399d752a6850	commit \| diff

w1: therm: Fix off-by-one buffer overflow in alarms_store

commit 761fcf46a1bd797bd32d23f3ea0141ffd437668a upstream.

The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.

Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.

Cc: stable@vger.kernel.org
Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>