2436793 – (CVE-2025-71197) CVE-2025-71197 kernel: w1: therm: Fix off-by-one buffer overflow in alarms_store

Bug 2436793 (CVE-2025-71197) - CVE-2025-71197 kernel: w1: therm: Fix off-by-one buffer overflow in alarms_store

Summary: CVE-2025-71197 kernel: w1: therm: Fix off-by-one buffer overflow in alarms_store

Keywords:
Status:	NEW
Alias:	CVE-2025-71197
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-04 17:03 UTC by OSIDB Bzimport
Modified:	2026-02-04 23:25 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-04 17:03:40 UTC

In the Linux kernel, the following vulnerability has been resolved:

w1: therm: Fix off-by-one buffer overflow in alarms_store

The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes and a NUL terminator is appended. However, the 'size' argument
does not account for this extra byte. The original code then allocated
'size' bytes and used strcpy() to copy 'buf', which always writes one
byte past the allocated buffer since strcpy() copies until the NUL
terminator at index 'size'.

Fix this by parsing the 'buf' parameter directly using simple_strtoll()
without allocating any intermediate memory or string copying. This
removes the overflow while simplifying the code.

Note You need to log in before you can comment on or make changes to this bug.