hwmon: (applesmc) Avoid buffer overruns

gcc 7.1 complains that the driver uses sprintf() and thus does not validate the length of output buffers. drivers/hwmon/applesmc.c: In function 'applesmc_show_fan_position': drivers/hwmon/applesmc.c:82:21: warning: '%d' directive writing between 1 and 5 bytes into a region of size 4 Fix the problem by using scnprintf() instead of sprintf() throughout the driver. Also explicitly limit the number of supported fans to avoid actual buffer overruns and thus invalid keys. Signed-off-by: Guenter Roeck <linux@roeck-us.net>
author: Guenter Roeck <linux@roeck-us.net> 2017-07-11 23:53:55 -0400
committer: Guenter Roeck <linux@roeck-us.net> 2017-07-15 19:38:56 -0400
commit: 1009ccdc64ee2c8451f76b548589f6b989d13412 (patch)
tree: 1550e7c64fa36ed378ae26a874d9a694027d4d5a
parent: 5771a8c08880cdca3bfb4a3fc6d309d6bba20877 (diff)
1 files changed, 9 insertions, 4 deletions
diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
index 0af7fd311979..76c34f4fde13 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
@@ -566,6 +566,8 @@ static int applesmc_init_smcreg_try(void)
        if (ret)
                return ret;
        s->fan_count = tmp[0];
+        if (s->fan_count > 10)
+                s->fan_count = 10;
        ret = applesmc_get_lower_bound(&s->temp_begin, "T");
        if (ret)
@@ -811,7 +813,8 @@ static ssize_t applesmc_show_fan_speed(struct device *dev,
        char newkey[5];
        u8 buffer[2];
-        sprintf(newkey, fan_speed_fmt[to_option(attr)], to_index(attr));
+        scnprintf(newkey, sizeof(newkey), fan_speed_fmt[to_option(attr)],
+                  to_index(attr));
        ret = applesmc_read_key(newkey, buffer, 2);
        speed = ((buffer[0] << 8 | buffer[1]) >> 2);
@@ -834,7 +837,8 @@ static ssize_t applesmc_store_fan_speed(struct device *dev,
        if (kstrtoul(sysfsbuf, 10, &speed) < 0 || speed >= 0x4000)
                return -EINVAL;         /* Bigger than a 14-bit value */
-        sprintf(newkey, fan_speed_fmt[to_option(attr)], to_index(attr));
+        scnprintf(newkey, sizeof(newkey), fan_speed_fmt[to_option(attr)],
+                  to_index(attr));
        buffer[0] = (speed >> 6) & 0xff;
        buffer[1] = (speed << 2) & 0xff;
@@ -903,7 +907,7 @@ static ssize_t applesmc_show_fan_position(struct device *dev,
        char newkey[5];
        u8 buffer[17];
-        sprintf(newkey, FAN_ID_FMT, to_index(attr));
+        scnprintf(newkey, sizeof(newkey), FAN_ID_FMT, to_index(attr));
        ret = applesmc_read_key(newkey, buffer, 16);
        buffer[16] = 0;
@@ -1116,7 +1120,8 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
                }
                for (i = 0; i < num; i++) {
                        node = &grp->nodes[i];
-                        sprintf(node->name, grp->format, i + 1);
+                        scnprintf(node->name, sizeof(node->name), grp->format,
+                                  i + 1);
                        node->sda.index = (grp->option << 16) | (i & 0xffff);
                        node->sda.dev_attr.show = grp->show;
                        node->sda.dev_attr.store = grp->store;
author	Guenter Roeck <linux@roeck-us.net>	2017-07-11 23:53:55 -0400
committer	Guenter Roeck <linux@roeck-us.net>	2017-07-15 19:38:56 -0400
commit	1009ccdc64ee2c8451f76b548589f6b989d13412 (patch)
tree	1550e7c64fa36ed378ae26a874d9a694027d4d5a
parent	5771a8c08880cdca3bfb4a3fc6d309d6bba20877 (diff)