From d064f9840e1381c6f77372473fe623694ddc5f0d Mon Sep 17 00:00:00 2001 From: mingzh Date: Fri, 5 Jul 2024 14:45:20 +0800 Subject: [PATCH 1/3] dsp-kernel: use memcpy() instead of strcpy() Current code uses strcpy() to copy strings, which has a problem with potential buffer overflows if the source string is longer than the destination buffer. We can improve this by using memcpy() with a specified length, because it allows us to control the number of bytes copied and thus prevent buffer overflows. Change-Id: I9dd5da343bfd63e4e031a66fa26b103e3da573e0 Signed-off-by: mingzh --- dsp/fastrpc_trace.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dsp/fastrpc_trace.h b/dsp/fastrpc_trace.h index f89c69df1b..16f0eb65e7 100644 --- a/dsp/fastrpc_trace.h +++ b/dsp/fastrpc_trace.h @@ -385,7 +385,10 @@ TRACE_EVENT(fastrpc_msg, memcpy(__get_str(buf), (message), (sizeof(message) - 1)); __get_str(buf)[sizeof(message) - 1] = '\0'; #else - __assign_str(buf, message); + if (message) + __assign_str_len(buf, message, (sizeof(message) - 1)); + else + memcpy(__get_str(buf), "(null)", sizeof("(null)")); #endif ), TP_printk(" %s", __get_str(buf)) @@ -410,7 +413,10 @@ TRACE_EVENT(fastrpc_dspsignal, memcpy(__get_str(buf), (event), (sizeof(event) - 1)); __get_str(buf)[sizeof(event) - 1] = '\0'; #else - __assign_str(buf, event); + if (event) + __assign_str_len(buf, event, (sizeof(event) - 1)); + else + memcpy(__get_str(buf), "(null)", sizeof("(null)")); #endif __entry->signal_id = signal_id; __entry->state = state; From 2466bcf3cea4ed9b37b7e8983e7e6b7ffd92e8fc Mon Sep 17 00:00:00 2001 From: quic_anane Date: Tue, 16 Jul 2024 23:37:45 +0530 Subject: [PATCH 2/3] msm: ADSPRPC: Avoid Out-Of-Bounds access Currently, when adding duplicate sessions to an array that holds session information, no check is performed to avoid going out of bounds. Add a check to confirm that the index is not out of bounds. Change-Id: Ib7abcc5347ba49a8c787ec32e8519a11085456d9 Signed-off-by: quic_anane --- dsp/adsprpc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dsp/adsprpc.c b/dsp/adsprpc.c index d7e2c3e300..631d1b31d5 100644 --- a/dsp/adsprpc.c +++ b/dsp/adsprpc.c @@ -8172,6 +8172,12 @@ static int fastrpc_cb_probe(struct device *dev) for (j = 1; j < sharedcb_count && chan->sesscount < NUM_SESSIONS; j++) { chan->sesscount++; + VERIFY(err, chan->sesscount < NUM_SESSIONS); + if (err) { + ADSPRPC_WARN("failed to add shared session, maximum sessions (%d) reached \n", + NUM_SESSIONS); + break; + } dup_sess = &chan->session[chan->sesscount]; memcpy(dup_sess, sess, sizeof(struct fastrpc_session_ctx)); From 8168f4e0d505831f93de01088ccb1167253bfac3 Mon Sep 17 00:00:00 2001 From: ANANDU KRISHNAN E Date: Wed, 14 Aug 2024 10:39:55 +0530 Subject: [PATCH 3/3] msm: adsprpc: Avoid taking reference for group_info Currently, the get_current_groups API accesses group info, which increases the usage refcount. If the IOCTL using the get_current_groups API is called many times, the usage counter overflows. To avoid this, access group info without taking a reference. A reference is not required as group info is not released during the IOCTL call. Change-Id: Iec31c90f9fd1a837fb697d5d7d1baba7d285374d Signed-off-by: ANANDU KRISHNAN E --- dsp/adsprpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dsp/adsprpc.c b/dsp/adsprpc.c index 631d1b31d5..1e840563cf 100644 --- a/dsp/adsprpc.c +++ b/dsp/adsprpc.c @@ -6551,7 +6551,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp) static int fastrpc_get_process_gids(struct gid_list *gidlist) { - struct group_info *group_info = get_current_groups(); + struct group_info *group_info = current_cred()->group_info; int i = 0, err = 0, num_gids = group_info->ngroups + 1; unsigned int *gids = NULL;