--- /dev/null
+From 3b9b95363c45365d606ad4bbba16acca75fdf6d3 Mon Sep 17 00:00:00 2001
+From: Nathan Sullivan <nathan.sullivan@ni.com>
+Date: Mon, 15 Aug 2016 17:20:14 -0500
+Subject: leds: do not overflow sysfs buffer in led_trigger_show
+
+From: Nathan Sullivan <nathan.sullivan@ni.com>
+
+commit 3b9b95363c45365d606ad4bbba16acca75fdf6d3 upstream.
+
+Per the documentation, use scnprintf instead of sprintf to ensure there
+is never more than PAGE_SIZE bytes of trigger names put into the
+buffer.
+
+Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
+Signed-off-by: Zach Brown <zach.brown@ni.com>
+Signed-off-by: Jacek Anaszewski <j.anaszewski@samsung.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/led-triggers.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/leds/led-triggers.c
++++ b/drivers/leds/led-triggers.c
+@@ -88,21 +88,23 @@ ssize_t led_trigger_show(struct device *
+ down_read(&led_cdev->trigger_lock);
+
+ if (!led_cdev->trigger)
+- len += sprintf(buf+len, "[none] ");
++ len += scnprintf(buf+len, PAGE_SIZE - len, "[none] ");
+ else
+- len += sprintf(buf+len, "none ");
++ len += scnprintf(buf+len, PAGE_SIZE - len, "none ");
+
+ list_for_each_entry(trig, &trigger_list, next_trig) {
+ if (led_cdev->trigger && !strcmp(led_cdev->trigger->name,
+ trig->name))
+- len += sprintf(buf+len, "[%s] ", trig->name);
++ len += scnprintf(buf+len, PAGE_SIZE - len, "[%s] ",
++ trig->name);
+ else
+- len += sprintf(buf+len, "%s ", trig->name);
++ len += scnprintf(buf+len, PAGE_SIZE - len, "%s ",
++ trig->name);
+ }
+ up_read(&led_cdev->trigger_lock);
+ up_read(&triggers_list_lock);
+
+- len += sprintf(len+buf, "\n");
++ len += scnprintf(len+buf, PAGE_SIZE - len, "\n");
+ return len;
+ }
+ EXPORT_SYMBOL_GPL(led_trigger_show);
projects / thirdparty / kernel / stable-queue.git / commitdiff
