msm: adsprpc: overflow vulnerability by race condition in adsprpc driver

Create local copy of current->comm to avoid the possibility of modification in race condition. Change-Id: Ie10f6577ed7edb9279a36039348e7a1ad25239f9 Acked-by: Nishant Chaubey <chaubey@qti.qualcomm.com> Signed-off-by: Jeya R <jeyr@codeaurora.org>
khusika · Apr 1, 2021 · c86a1b0 · c86a1b0
1 parent ddc41ae
commit c86a1b0
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
@@ -3604,22 +3604,26 @@ static int fastrpc_set_process_info(struct fastrpc_file *fl)
 {
 	int err = 0, buf_size = 0;
 	char strpid[PID_SIZE];
+	char cur_comm[TASK_COMM_LEN];
 
+	memcpy(cur_comm, current->comm, TASK_COMM_LEN);
+	cur_comm[TASK_COMM_LEN-1] = '\0';
 	fl->tgid = current->tgid;
 	snprintf(strpid, PID_SIZE, "%d", current->pid);
-	buf_size = strlen(current->comm) + strlen("_") + strlen(strpid) + 1;
+	buf_size = strlen(cur_comm) + strlen("_") + strlen(strpid) + 1;
 	fl->debug_buf = kzalloc(buf_size, GFP_KERNEL);
 	if (!fl->debug_buf) {
 		err = -ENOMEM;
 		return err;
 	}
-	snprintf(fl->debug_buf, UL_SIZE, "%.10s%s%d",
-			current->comm, "_", current->pid);
+	snprintf(fl->debug_buf, buf_size, "%.10s%s%d",
+			cur_comm, "_", current->pid);
 	fl->debugfs_file = debugfs_create_file(fl->debug_buf, 0644,
 					debugfs_root, fl, &debugfs_fops);
 	if (!fl->debugfs_file)
 		pr_warn("Error: %s: %s: failed to create debugfs file %s\n",
-				current->comm, __func__, fl->debug_buf);
+				cur_comm, __func__, fl->debug_buf);
+
 	return err;
 }