CHROMIUM: bq27x00: Fix OOB write in model name

The BQ27500_MAX_NAME_LEN is now 7 and when we are unable to read the model name we strcpy "unknown" to the model name variable which will cause out of bound write because of \0 at the end of the string. To address this issue, this patch does 3 things. - Increase model name max length from 7 to 20 - Truncate model name when length >= 20 - Change strcpy to strlcpy BUG=chromium:581343 TEST=build / ryu boot Change-Id: Ibf2003be17aed991568d98dfe50bbe72ef5a8292 Signed-off-by: Puthikorn Voravootivat <puthik@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/324058 Reviewed-by: David Riley <davidriley@chromium.org> (cherry picked from commit f8e84e6) Reviewed-on: https://chrome-internal-review.googlesource.com/246295 Reviewed-by: David Riley <davidriley@google.com> Commit-Queue: Andrew Bresticker <abrestic@google.com> Tested-by: Andrew Bresticker <abrestic@google.com>
mariux64 · Jan 27, 2016 · c069776 · c069776
1 parent 9268da9
commit c069776
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/drivers/power/bq27x00_battery.c b/drivers/power/bq27x00_battery.c
@@ -74,7 +74,7 @@
 #define BQ27500_FLAG_SOC1		BIT(2) /* State-of-Charge threshold 1 */
 #define BQ27500_FLAG_FC			BIT(9)
 #define BQ27500_FLAG_OTC		BIT(15)
-#define BQ27500_MAX_NAME_LEN		7
+#define BQ27500_MAX_NAME_LEN		20
 
 #define BQ27742_POWER_AVG		0x76
 
@@ -353,14 +353,20 @@ static int bq27x00_battery_model_name(struct bq27x00_device_info *di)
 		return -EINVAL;
 
 	len = bq27x00_read(di, BQ27500_REG_DEV_NAME_LEN, false);
-	if (len < 0 || len > BQ27500_MAX_NAME_LEN) {
+	if (len <= 0) {
 		dev_err(di->dev, "error reading available length = %d\n", len);
 		return -EINVAL;
 	}
 
+	if (len >= BQ27500_MAX_NAME_LEN) {
+		dev_info(di->dev, "model name too long, length = %d\n", len);
+		len = BQ27500_MAX_NAME_LEN - 1;
+	}
+
 	for (i = 0; i < len; ++i)
 		model_name[i] = bq27x00_read(di, BQ27500_REG_DEV_NAME + i,
 					     false);
+	model_name[i] = '\0';
 
 	return 0;
 }
@@ -942,7 +948,7 @@ static int bq27x00_battery_probe(struct i2c_client *client,
 
 	retval = bq27x00_battery_model_name(di);
 	if (retval)
-		strcpy(model_name, "unknown");
+		strlcpy(model_name, "unknown", BQ27500_MAX_NAME_LEN);
 
 	return 0;