From d6d847142bb38caead1e180b6611e413f905b016 Mon Sep 17 00:00:00 2001 From: Greg Kaiser Date: Fri, 23 Mar 2018 14:16:12 -0700 Subject: [PATCH] lmkd: Protect against buffer overflow We're passing a 'line' whose backing buffer is PAGE_MAX in size into memory_stat_parse_line(). We protect overflowing the smaller LINE_MAX 'key' buffer via some C preprocessing macros to assure we limit the size. Test: Local build with LMKD_LOG_STATS set for this file. Bug: 76220622 Merged-In: I9e50d4270f7099e37a9bfc7fb9b9b95cc7adb086 Change-Id: I9e50d4270f7099e37a9bfc7fb9b9b95cc7adb086 --- lmkd/lmkd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lmkd/lmkd.c b/lmkd/lmkd.c index e2e5c4e37..ee2f343d9 100644 --- a/lmkd/lmkd.c +++ b/lmkd/lmkd.c @@ -75,6 +75,9 @@ #define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) #define EIGHT_MEGA (1 << 23) +#define STRINGIFY(x) STRINGIFY_INTERNAL(x) +#define STRINGIFY_INTERNAL(x) #x + /* default to old in-kernel interface if no memory pressure events */ static int use_inkernel_interface = 1; static bool has_inkernel_module; @@ -555,10 +558,10 @@ static void ctrl_connect_handler(int data __unused, uint32_t events __unused) { #ifdef LMKD_LOG_STATS static void memory_stat_parse_line(char *line, struct memory_stat *mem_st) { - char key[LINE_MAX]; + char key[LINE_MAX + 1]; int64_t value; - sscanf(line,"%s %" SCNd64 "", key, &value); + sscanf(line, "%" STRINGIFY(LINE_MAX) "s %" SCNd64 "", key, &value); if (strcmp(key, "total_") < 0) { return;