drivers: richtek: fix write-out-of-bounds in rt1711_init_alert()

KASAN warns about a write-out-of-bounds in rt1711_init_alert():

	len = strlen(chip->tcpc_desc->name);
	name = kzalloc(sizeof(len + 5), GFP_KERNEL);        <- allocated here
	sprintf(name, "%s-IRQ", chip->tcpc_desc->name);     <- written here

The stray sizeof() operator means it's allocating 4 bytes rather than
the intended strlen(...) + 5 bytes.

Change-Id: Iaecc36682754948c9fa983ab9a88486690a1358d
Signed-off-by: Greg Hackmann <ghackmann@google.com>

diff --git a/drivers/usb/pd/richtek/tcpc_rt1711h.c b/drivers/usb/pd/richtek/tcpc_rt1711h.c
index 1d1eb38ab1495a9def88c06d065fb2c8c440fe5e..3dadf0b9e20f146db1380ce87b37cb3e593be69f 100644 (file)
--- a/drivers/usb/pd/richtek/tcpc_rt1711h.c
+++ b/drivers/usb/pd/richtek/tcpc_rt1711h.c
@@ -535,7 +535,7 @@ static int rt1711_init_alert(struct tcpc_device *tcpc)
        rt1711_write_word(chip->client, TCPC_V10_REG_ALERT, 0xffff);
 
        len = strlen(chip->tcpc_desc->name);
-       name = kzalloc(sizeof(len + 5), GFP_KERNEL);
+       name = kzalloc(len + 5, GFP_KERNEL);
        sprintf(name, "%s-IRQ", chip->tcpc_desc->name);
 
        pr_info("%s name = %s\n", __func__, chip->tcpc_desc->name);