[lm-sensors] drivers/hwmon/lm93.c: array overruns

Hans-Jürgen Koch hjk at linutronix.de
Tue Jul 24 10:26:46 CEST 2007


Am Dienstag 24 Juli 2007 10:10 schrieb Jean Delvare:
> Hi Hans,
> 
> On Mon, 23 Jul 2007 09:36:57 +0200, Hans-Jürgen Koch wrote:
> > Am Montag 23 Juli 2007 02:54 schrieb Adrian Bunk:
> > > The Coverity checker spotted the following array overruns
> > > in drivers/hwmon/lm93.c:
> > > 
> > > <--  snip  -->
> > > 
> > > ...
> > > struct lm93_data {
> > > ...
> > >         struct {
> > >                 u8 min;
> > >                 u8 max;
> > >         } temp_lim[3];
> > > ...
> > > };
> > > ...
> > > static void lm93_update_client_common(struct lm93_data *data,
> > >                                       struct i2c_client *client)
> > > {
> > > ...
> > >         for (i = 0; i < 4; i++) {
> > >                 data->temp_lim[i].min =
> > >                         lm93_read_byte(client, LM93_REG_TEMP_MIN(i));
> > >                 data->temp_lim[i].max =
> > >                         lm93_read_byte(client, LM93_REG_TEMP_MAX(i));
> > >         }
> > > ...
> > > 
> > > <--  snip  -->
> > 
> > This patch should fix it. Thanks a lot, Adrian!
> > 
> > ----
> > This fixes an array overflow bug. We have 4 pairs of min/max temperature 
> > limits, not 3.
> > 
> > Signed-off-by: Hans J. Koch <hjk at linutronix.de>
> > 
> > --
> > Index: linux-2.6.23-rc/drivers/hwmon/lm93.c
> > ===================================================================
> > --- linux-2.6.23-rc.orig/drivers/hwmon/lm93.c	2007-07-23 09:22:56.000000000 +0200
> > +++ linux-2.6.23-rc/drivers/hwmon/lm93.c	2007-07-23 09:29:37.000000000 +0200
> > @@ -234,7 +234,7 @@
> >  	struct {
> >  		u8 min;
> >  		u8 max;
> > -	} temp_lim[3];
> > +	} temp_lim[4];
> >  
> >  	/* vin1 - vin16: low and high limits */
> >  	struct {
> 
> This will do as a quick fix, so:
> 
> Acked-by: Jean Delvare <khali at linux-fr.org>
> 
> However, I see that temp4 (which isn't a real temperature channel) is
> not exposed in sysfs. Reading and storing register values you never use
> doesn't seem particularly interesting, so something needs to be done
> here: either drop support for temp4 entirely, or expose the temp4
> values in sysfs.

I've got that on my TODO list. I'll soon work on that driver again. I'm still
waiting for that #§$?& NDA-covered datasheet of the LM94. As soon as I've got
that, I need to review all these values anyway because there might be subtle
differences between LM93 and LM94.
For the moment, I'd like to postpone the decision about what to do with temp4.

Thanks anyway for pointing this out.

Hans
 




More information about the lm-sensors mailing list