From patchwork Wed Nov  8 12:08:39 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 10048389
X-Patchwork-Delegate: dvhart@infradead.org
Return-Path: <platform-driver-x86-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8837C60247
	for <patchwork-platform-driver-x86@patchwork.kernel.org>;
	Wed,  8 Nov 2017 12:09:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 76DA42A575
	for <patchwork-platform-driver-x86@patchwork.kernel.org>;
	Wed,  8 Nov 2017 12:09:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6A0802A5A4; Wed,  8 Nov 2017 12:09:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 922872A575
	for <patchwork-platform-driver-x86@patchwork.kernel.org>;
	Wed,  8 Nov 2017 12:09:28 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752289AbdKHMJ2 (ORCPT
	<rfc822;patchwork-platform-driver-x86@patchwork.kernel.org>);
	Wed, 8 Nov 2017 07:09:28 -0500
Received: from mout.kundenserver.de ([212.227.126.133]:55830 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752033AbdKHMJ1 (ORCPT
	<rfc822;platform-driver-x86@vger.kernel.org>);
	Wed, 8 Nov 2017 07:09:27 -0500
Received: from wuerfel.lan ([109.193.157.232]) by mrelayeu.kundenserver.de
	(mreue001 [212.227.15.129]) with ESMTPA (Nemesis) id
	0LiscI-1eoE0u0oJi-00dFVl; Wed, 08 Nov 2017 13:08:46 +0100
From: Arnd Bergmann <arnd@arndb.de>
To: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>,
	Mario Limonciello <mario.limonciello@dell.com>,
	Darren Hart <dvhart@infradead.org>, Andy Shevchenko <andy@infradead.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
	"Edward O'Callaghan" <quasisec@google.com>,
	Hans de Goede <hdegoede@redhat.com>,
	platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] dell-smbios: fix string overflow
Date: Wed,  8 Nov 2017 13:08:39 +0100
Message-Id: <20171108120844.3196747-1-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
X-Provags-ID: V03:K0:61hUVFmRj0kTbhb18HGPK798Dc6r/0acYiirU+J6bX0Vc937QQM
	tpw125x3Tl40oAmnu6mfF+PIQiVi7v1VJqySFCwcQo2EpO3s46VfcZ3Uzicd7p0vA9+Dd7M
	iPXJ0E9E55ZuO23UFUFONHi+cpnweGxx/zOiaDAHFb364cYUvVaY3hR/hpJ1l3CZDqSrSkw
	HLhKGDRzyb9XJTE56It/g==
X-UI-Out-Filterresults: notjunk:1; V01:K0:W7NBzZuiOCE=:R6NBHr27ELjxV4UXJEGey8
	JbkV5oV9ahNUQ2qyHGqHrHSAteZ0IBluzqhTBQ9/inJyu80c+y27yeFsQPzD6BWc2uItOEvdy
	a9nfVrUCy78dZ/Bk3E8M+sMGq0azkGnLnxogYFKzfXsmiw3oEJOhUD56rcDyYEbItQk4GIJvg
	cKh8oHkK0AH9EYvtoU205rg8LIwWgCIPjBCZBnn7isj7ZNRFQW+0X48wt8vB8D5Yw50rXWxxT
	+0Mer6LuUDD4H6t5RSrUZfVAdPYhPIbXaME8OdFGY6sMhM2WhQPtNLk/56PvRFqlwsT3pRL0q
	NmE+jB6KYCpRETKVis6LLrW+pJL6dNf4qYx3ohzjlF/71QFpaeVO2iIgT419/Igcbn30DPvcl
	H5dlC8HcMURXmb2gp1Ho9R+Vp9Eaq7+aVIiWBUlGUE6KBORNm8OTkq7iTFBkmKgyGOENo5Mxg
	89xKX0Fi8YmR+W4svXeyH32uKPjpFIIMGu+I/oGUQbx+bx+4P80M5nzVuTSnuW/27M2K+Y9Lo
	DVWKJhAhQZMVYF/G6XuNVuv6X2JuG3WRuoo6+Kp4GYouGPBjwA7aLnhQRDQF8nIy9awXdA4dx
	DCweaAgqxMXTknr5TN1YemnzyKWReruYzpGj4dlBbYWh6moMIcvuZNSohsq1mhejGGwnVqLEg
	QtyX9w4kcO5QqpFZKyxPsfXuoK02xnRK915wSPEI9MoDvvfvBMTHK5X2uvNOAITY11kIMaiqa
	ntFZ9HxF8zc/et21DYlBYLZCEDLBEPtNPQTF8A==
Sender: platform-driver-x86-owner@vger.kernel.org
Precedence: bulk
List-ID: <platform-driver-x86.vger.kernel.org>
X-Mailing-List: platform-driver-x86@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The new sysfs code overwrites two fixed-length character arrays
that are each one byte shorter than they need to be, to hold
the trailing \0:

drivers/platform/x86/dell-smbios.c: In function 'build_tokens_sysfs':
drivers/platform/x86/dell-smbios.c:494:42: error: 'sprintf' writing a terminating nul past the end of the destination [-Werror=format-overflow=]
   sprintf(buffer_location, "%04x_location",
drivers/platform/x86/dell-smbios.c:494:3: note: 'sprintf' output 14 bytes into a destination of size 13
drivers/platform/x86/dell-smbios.c:506:36: error: 'sprintf' writing a terminating nul past the end of the destination [-Werror=format-overflow=]
   sprintf(buffer_value, "%04x_value",
drivers/platform/x86/dell-smbios.c:506:3: note: 'sprintf' output 11 bytes into a destination of size 10

This changes it to just use kasprintf(), which always gets it right.

Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Mario Limonciello <mario.limonciello@dell.com>
Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
---
 drivers/platform/x86/dell-smbios.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/platform/x86/dell-smbios.c b/drivers/platform/x86/dell-smbios.c
index d99edd803c19..6a60db515bda 100644
--- a/drivers/platform/x86/dell-smbios.c
+++ b/drivers/platform/x86/dell-smbios.c
@@ -463,8 +463,6 @@ static struct platform_driver platform_driver = {
 
 static int build_tokens_sysfs(struct platform_device *dev)
 {
-	char buffer_location[13];
-	char buffer_value[10];
 	char *location_name;
 	char *value_name;
 	size_t size;
@@ -491,9 +489,8 @@ static int build_tokens_sysfs(struct platform_device *dev)
 		if (da_tokens[i].tokenID == 0)
 			continue;
 		/* add location */
-		sprintf(buffer_location, "%04x_location",
-			da_tokens[i].tokenID);
-		location_name = kstrdup(buffer_location, GFP_KERNEL);
+		location_name = kasprintf(GFP_KERNEL, "%04x_location",
+					  da_tokens[i].tokenID);
 		if (location_name == NULL)
 			goto out_unwind_strings;
 		sysfs_attr_init(&token_location_attrs[i].attr);
@@ -503,9 +500,8 @@ static int build_tokens_sysfs(struct platform_device *dev)
 		token_attrs[j++] = &token_location_attrs[i].attr;
 
 		/* add value */
-		sprintf(buffer_value, "%04x_value",
-			da_tokens[i].tokenID);
-		value_name = kstrdup(buffer_value, GFP_KERNEL);
+		value_name = kasprintf(GFP_KERNEL, "%04x_value",
+				       da_tokens[i].tokenID);
 		if (value_name == NULL)
 			goto loop_fail_create_value;
 		sysfs_attr_init(&token_value_attrs[i].attr);