Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 73635df5 authored by Jeya R's avatar Jeya R
Browse files

msm: adsprpc: overflow vulnerability by race condition in adsprpc driver 



Create local copy of current->comm to avoid the possibility of modification
in race condition.

Change-Id: Ie10f6577ed7edb9279a36039348e7a1ad25239f9
Acked-by: default avatarNishant Chaubey <chaubey@qti.qualcomm.com>
Signed-off-by: default avatarJeya R <jeyr@codeaurora.org>
parent 08db65b8

drivers/char/adsprpc.c

+7 −4
Original line number Diff line number Diff line
@@ -5421,7 +5421,10 @@ static int fastrpc_set_process_info(struct fastrpc_file *fl) 
{

	int err = 0, buf_size = 0;

	char strpid[PID_SIZE];

	char cur_comm[TASK_COMM_LEN];



	memcpy(cur_comm, current->comm, TASK_COMM_LEN);

	cur_comm[TASK_COMM_LEN-1] = '\0';

	fl->tgid = current->tgid;



	/*
@@ -5433,7 +5436,7 @@ static int fastrpc_set_process_info(struct fastrpc_file *fl) 
		fl->untrusted_process = true;

	snprintf(strpid, PID_SIZE, "%d", current->pid);

	if (debugfs_root) {

		buf_size = strlen(current->comm) + strlen("_")

		buf_size = strlen(cur_comm) + strlen("_")

			+ strlen(strpid) + 1;



		spin_lock(&fl->hlock);
@@ -5449,13 +5452,13 @@ static int fastrpc_set_process_info(struct fastrpc_file *fl) 
			err = -ENOMEM;

			return err;

		}

		snprintf(fl->debug_buf, UL_SIZE, "%.10s%s%d",

			current->comm, "_", current->pid);

		snprintf(fl->debug_buf, buf_size, "%.10s%s%d",

			cur_comm, "_", current->pid);

		fl->debugfs_file = debugfs_create_file(fl->debug_buf, 0644,

			debugfs_root, fl, &debugfs_fops);

		if (IS_ERR_OR_NULL(fl->debugfs_file)) {

			pr_warn("Error: %s: %s: failed to create debugfs file %s\n",

				current->comm, __func__, fl->debug_buf);

				cur_comm, __func__, fl->debug_buf);

			fl->debugfs_file = NULL;

			kfree(fl->debug_buf);

			fl->debug_buf = NULL;