git.ipfire.org Git - thirdparty/linux.git/commit

author	Thorsten Blum <thorsten.blum@linux.dev>
	Tue, 16 Dec 2025 14:50:03 +0000 (15:50 +0100)
committer	Krzysztof Kozlowski <krzk@kernel.org>
	Thu, 18 Dec 2025 16:01:42 +0000 (17:01 +0100)
commit	761fcf46a1bd797bd32d23f3ea0141ffd437668a
tree	f284f9400dda2950c4e26d60c1dab3fdfde20e32	tree \| snapshot
parent	8f0b4cce4481fb22653697cced8d0d04027cb1e8	commit \| diff

w1: therm: Fix off-by-one buffer overflow in alarms_store

The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.

Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.

Cc: stable@vger.kernel.org
Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20251216145007.44328-2-thorsten.blum@linux.dev
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>