Commit 9c7d2fa9 authored Jul 18, 2019 by Hardik Arya

diag: Prevent possible use-after-free while updating event mask



There is a possibility of use-after-free while populating response
for update event mask because of using mask_info without holding
md_session_lock. The patch fixes this issue by using source buffer
for populating command response.

Change-Id: I45558a9cb628ec075e1e03e55e840121769c7660
Signed-off-by: Hardik Arya <harya@codeaurora.org>

parent 6e7c2de4

drivers/char/diag/diag_masks.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1109,7 +1109,7 @@ static int diag_cmd_update_event_mask(unsigned char *src_buf, int src_len,
		rsp.num_bits = driver->last_event_id + 1;
		memcpy(dest_buf, &rsp, header_len);
		write_len += header_len;
		memcpy(dest_buf + write_len, mask_info->ptr, mask_len);
		memcpy(dest_buf + write_len, src_buf + header_len, mask_len);
		write_len += mask_len;

		for (i = 0; i < NUM_MD_SESSIONS; i++) {