Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f0da9b0c authored by Greg Kaiser's avatar Greg Kaiser Committed by Suren Baghdasaryan
Browse files

lmkd: Protect against buffer overflow 

We're passing a 'line' whose backing buffer is PAGE_MAX in size
into memory_stat_parse_line().  We protect overflowing the smaller
LINE_MAX 'key' buffer via some C preprocessing macros to assure
we limit the size.

Test: Local build with LMKD_LOG_STATS set for this file.
Bug: 76220622
Change-Id: I9e50d4270f7099e37a9bfc7fb9b9b95cc7adb086
parent 7d4e7d31

lmkd/lmkd.c

+5 −2
Original line number Diff line number Diff line
@@ -82,6 +82,9 @@ 
/* Defined as ProcessList.SYSTEM_ADJ in ProcessList.java */

#define SYSTEM_ADJ (-900)



#define STRINGIFY(x) STRINGIFY_INTERNAL(x)

#define STRINGIFY_INTERNAL(x) #x



/* default to old in-kernel interface if no memory pressure events */

static bool use_inkernel_interface = true;

static bool has_inkernel_module;
@@ -730,10 +733,10 @@ static void ctrl_connect_handler(int data __unused, uint32_t events __unused) { 


#ifdef LMKD_LOG_STATS

static void memory_stat_parse_line(char *line, struct memory_stat *mem_st) {

    char key[LINE_MAX];

    char key[LINE_MAX + 1];

    int64_t value;



    sscanf(line,"%s  %" SCNd64 "", key, &value);

    sscanf(line, "%" STRINGIFY(LINE_MAX) "s  %" SCNd64 "", key, &value);



    if (strcmp(key, "total_") < 0) {

        return;