From patchwork Wed Jul 12 15:14:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Guenter Roeck X-Patchwork-Id: 9836973 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6D04A602BD for ; Wed, 12 Jul 2017 15:14:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5ED642861A for ; Wed, 12 Jul 2017 15:14:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5372A2861F; Wed, 12 Jul 2017 15:14:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD0AC2861A for ; Wed, 12 Jul 2017 15:14:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752762AbdGLPO5 (ORCPT ); Wed, 12 Jul 2017 11:14:57 -0400 Received: from bh-25.webhostbox.net ([208.91.199.152]:33699 "EHLO bh-25.webhostbox.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753198AbdGLPO4 (ORCPT ); Wed, 12 Jul 2017 11:14:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=roeck-us.net; s=default; h=Message-Id:Date:Subject:Cc:To:From:Sender: Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+yLJb6WJVjs396R21s+QoHhTAOkfRfoSnOTa9gHa0fY=; b=ZxThBC+7zQ8JLOL1/IkQCgAsNy mG9bAoe9OcA63Xh6IrsFWXHoclPT0mDnnG0ZsJEU4zs1mep6gaJLskC/M8jHagBGUwWqSPhqxypw+ TzCCvZqOZqL/p6N8QoMtHY63haeKdiAO4eW7d1tqD31HGdM1Coj967D1J+AY9OSyYS3J/tSpRTy/1 p20uLft64+jq/3YJr1YUSMfY+vlDHjkREKDSGFXrfDQEoUqNxFqnV6J+HuGgz10P+ms9IkdN1E2qL uK4GxQ7m5txYamMSVApCkA371H80zUHPu5+mzXxiYn28KdTzhXC638YSlTBWru+/q+hRuGv0hQPpM ktYQggIQ==; Received: from 108-223-40-66.lightspeed.sntcca.sbcglobal.net ([108.223.40.66]:35786 helo=localhost) by bh-25.webhostbox.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1dVJLq-0005F6-IQ; Wed, 12 Jul 2017 15:14:55 +0000 From: Guenter Roeck To: Henrik Rydberg Cc: Jean Delvare , linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org, Guenter Roeck Subject: [RESEND PATCH] hwmon: (applesmc) Avoid buffer overruns Date: Wed, 12 Jul 2017 08:14:49 -0700 Message-Id: <1499872489-25773-1-git-send-email-linux@roeck-us.net> X-Mailer: git-send-email 2.7.4 X-Authenticated_sender: guenter@roeck-us.net X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bh-25.webhostbox.net X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - roeck-us.net X-Get-Message-Sender-Via: bh-25.webhostbox.net: authenticated_id: guenter@roeck-us.net X-Authenticated-Sender: bh-25.webhostbox.net: guenter@roeck-us.net X-Source: X-Source-Args: X-Source-Dir: Sender: linux-hwmon-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-hwmon@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP gcc 7.1 complains that the driver uses sprintf() and thus does not validate the length of output buffers. drivers/hwmon/applesmc.c: In function 'applesmc_show_fan_position': drivers/hwmon/applesmc.c:82:21: warning: '%d' directive writing between 1 and 5 bytes into a region of size 4 Fix the problem by using scnprintf() instead of sprintf() throughout the driver. Also explicitly limit the number of supported fans to avoid actual buffer overruns and thus invalid keys. Signed-off-by: Guenter Roeck --- Resent with corrected hwmon e-mail address. Sorry for the noise. drivers/hwmon/applesmc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c index 0af7fd311979..76c34f4fde13 100644 --- a/drivers/hwmon/applesmc.c +++ b/drivers/hwmon/applesmc.c @@ -566,6 +566,8 @@ static int applesmc_init_smcreg_try(void) if (ret) return ret; s->fan_count = tmp[0]; + if (s->fan_count > 10) + s->fan_count = 10; ret = applesmc_get_lower_bound(&s->temp_begin, "T"); if (ret) @@ -811,7 +813,8 @@ static ssize_t applesmc_show_fan_speed(struct device *dev, char newkey[5]; u8 buffer[2]; - sprintf(newkey, fan_speed_fmt[to_option(attr)], to_index(attr)); + scnprintf(newkey, sizeof(newkey), fan_speed_fmt[to_option(attr)], + to_index(attr)); ret = applesmc_read_key(newkey, buffer, 2); speed = ((buffer[0] << 8 | buffer[1]) >> 2); @@ -834,7 +837,8 @@ static ssize_t applesmc_store_fan_speed(struct device *dev, if (kstrtoul(sysfsbuf, 10, &speed) < 0 || speed >= 0x4000) return -EINVAL; /* Bigger than a 14-bit value */ - sprintf(newkey, fan_speed_fmt[to_option(attr)], to_index(attr)); + scnprintf(newkey, sizeof(newkey), fan_speed_fmt[to_option(attr)], + to_index(attr)); buffer[0] = (speed >> 6) & 0xff; buffer[1] = (speed << 2) & 0xff; @@ -903,7 +907,7 @@ static ssize_t applesmc_show_fan_position(struct device *dev, char newkey[5]; u8 buffer[17]; - sprintf(newkey, FAN_ID_FMT, to_index(attr)); + scnprintf(newkey, sizeof(newkey), FAN_ID_FMT, to_index(attr)); ret = applesmc_read_key(newkey, buffer, 16); buffer[16] = 0; @@ -1116,7 +1120,8 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num) } for (i = 0; i < num; i++) { node = &grp->nodes[i]; - sprintf(node->name, grp->format, i + 1); + scnprintf(node->name, sizeof(node->name), grp->format, + i + 1); node->sda.index = (grp->option << 16) | (i & 0xffff); node->sda.dev_attr.show = grp->show; node->sda.dev_attr.store = grp->store;