From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
Daniel Lezcano <daniel.lezcano@linaro.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 20/75] thermal/core: Potential buffer overflow in thermal_build_list_of_policies()
Date: Mon, 4 Oct 2021 14:51:55 +0200 [thread overview]
Message-ID: <20211004125032.200507467@linuxfoundation.org> (raw)
In-Reply-To: <20211004125031.530773667@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ]
After printing the list of thermal governors, then this function prints
a newline character. The problem is that "size" has not been updated
after printing the last governor. This means that it can write one
character (the NUL terminator) beyond the end of the buffer.
Get rid of the "size" variable and just use "PAGE_SIZE - count" directly.
Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20210916131342.GB25094@kili
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/thermal_core.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 2db83b555e59..94820f25a15f 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -231,15 +231,14 @@ int thermal_build_list_of_policies(char *buf)
{
struct thermal_governor *pos;
ssize_t count = 0;
- ssize_t size = PAGE_SIZE;
mutex_lock(&thermal_governor_lock);
list_for_each_entry(pos, &thermal_governor_list, governor_list) {
- size = PAGE_SIZE - count;
- count += scnprintf(buf + count, size, "%s ", pos->name);
+ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ",
+ pos->name);
}
- count += scnprintf(buf + count, size, "\n");
+ count += scnprintf(buf + count, PAGE_SIZE - count, "\n");
mutex_unlock(&thermal_governor_lock);
--
2.33.0
next prev parent reply other threads:[~2021-10-04 13:02 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 12:51 [PATCH 4.14 00/75] 4.14.249-rc1 review Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 01/75] ocfs2: drop acl cache for directories too Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 02/75] usb: gadget: r8a66597: fix a loop in set_feature() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 03/75] usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 04/75] cifs: fix incorrect check for null pointer in header_assemble Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 05/75] xen/x86: fix PV trap handling on secondary processors Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 06/75] usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 07/75] USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 08/75] staging: greybus: uart: fix tty use after free Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 09/75] Re-enable UAS for LaCie Rugged USB3-FW with fk quirk Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 10/75] USB: serial: mos7840: remove duplicated 0xac24 device ID Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 11/75] USB: serial: option: add Telit LN920 compositions Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 12/75] USB: serial: option: remove duplicate USB device ID Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 13/75] USB: serial: option: add device id for Foxconn T99W265 Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 14/75] mcb: fix error handling in mcb_alloc_bus() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 15/75] serial: mvebu-uart: fix drivers tx_empty callback Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 16/75] net: hso: fix muxed tty registration Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 17/75] bnxt_en: Fix TX timeout when TX ring size is set to the smallest Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 18/75] net/mlx4_en: Dont allow aRFS for encapsulated packets Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 19/75] scsi: iscsi: Adjust iface sysfs attr detection Greg Kroah-Hartman
2021-10-04 12:51 ` Greg Kroah-Hartman [this message]
2021-10-04 12:51 ` [PATCH 4.14 21/75] irqchip/gic-v3-its: Fix potential VPE leak on error Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 22/75] md: fix a lock order reversal in md_alloc Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 23/75] blktrace: Fix uaf in blk_trace access after removing by sysfs Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.14 24/75] net: macb: fix use after free on rmmod Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 25/75] net: stmmac: allow CSR clock of 300MHz Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 26/75] m68k: Double cast io functions to unsigned long Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 27/75] xen/balloon: use a kernel thread instead a workqueue Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 28/75] compiler.h: Introduce absolute_pointer macro Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 29/75] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 30/75] sparc: avoid stringop-overread errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 31/75] qnx4: " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 32/75] parisc: Use absolute_pointer() to define PAGE0 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 33/75] arm64: Mark __stack_chk_guard as __ro_after_init Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 34/75] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 35/75] net: 6pack: Fix tx timeout and slot time Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 36/75] spi: Fix tegra20 build with CONFIG_PM=n Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 37/75] arm64: dts: marvell: armada-37xx: Extend PCIe MEM space Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 38/75] PCI: aardvark: Fix checking for PIO Non-posted Request Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 39/75] PCI: aardvark: Fix checking for PIO status Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 40/75] xen/balloon: fix balloon kthread freezing Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 41/75] qnx4: work around gcc false positive warning bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 42/75] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 43/75] cpufreq: schedutil: Use kobject release() method to free sugov_tunables Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 44/75] cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 45/75] mac80211: fix use-after-free in CCMP/GCMP RX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 46/75] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 47/75] mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 48/75] mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 49/75] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 50/75] hwmon: (tmp421) fix rounding for negative values Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 51/75] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 52/75] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 53/75] scsi: csiostor: Add module softdep on cxgb4 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 54/75] af_unix: fix races in sk_peer_pid and sk_peer_cred accesses Greg Kroah-Hartman
2021-10-07 15:57 ` Jann Horn
2021-10-07 16:21 ` Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 55/75] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 56/75] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 57/75] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 58/75] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 59/75] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 60/75] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 61/75] net: udp: annotate data race around udp_sk(sk)->corkflag Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 62/75] EDAC/synopsys: Fix wrong value type assignment for edac_mode Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 63/75] ARM: 9077/1: PLT: Move struct plt_entries definition to header Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 64/75] ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 65/75] ARM: 9079/1: ftrace: Add MODULE_PLTS support Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 66/75] ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 67/75] arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 68/75] hso: fix bailout in error case of probe Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 69/75] usb: hso: fix error handling code of hso_create_net_device Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 70/75] usb: hso: remove the bailout parameter Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 71/75] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 72/75] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 73/75] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 74/75] HID: usbhid: free raw_report buffers in usbhid_stop Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.14 75/75] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 17:49 ` [PATCH 4.14 00/75] 4.14.249-rc1 review Naresh Kamboju
2021-10-04 17:50 ` Eric Dumazet
2021-10-05 2:14 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004125032.200507467@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=daniel.lezcano@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).