From 9267e267be78e29e9539c63969738d139980981b Mon Sep 17 00:00:00 2001 From: John Stultz Date: Thu, 18 Jan 2024 10:49:48 -0800 Subject: [PATCH] ANDROID: uid_sys_stats: Fully initialize uid_entry_tmp value Amit Pundir at Linaro reported seeing crashes in uid_sys_stats driver when building with GCC. Looking into it, it seems the uid_entry_tmp value is used while only partially initialized, causing potential out of bound access on the uid_entry io arrays. This likely has gone unnoticed with clang as I believe we're using the zero initialization for stack variables security feature. So change the logic to fully initialize the uid_entry_tmp value. Fixes: f68d4f3c3b53 ("ANDROID: uid_sys_stat: instead update_io_stats_uid_locked to update_io_stats_uid") Reported-by: Amit Pundir Signed-off-by: John Stultz Change-Id: I78de245e80ef60aabec78a615c7ba582ab5a2242 --- drivers/misc/uid_sys_stats.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/misc/uid_sys_stats.c b/drivers/misc/uid_sys_stats.c index 095962102ac7..e5d8af9712a0 100644 --- a/drivers/misc/uid_sys_stats.c +++ b/drivers/misc/uid_sys_stats.c @@ -684,9 +684,8 @@ static ssize_t uid_procstat_write(struct file *file, * so that we can unlock_uid during update_io_stats_uid, in order * to avoid the unnecessary lock-time of uid_lock. */ - uid_entry_tmp.uid = uid_entry->uid; - memcpy(uid_entry_tmp.io, uid_entry->io, - sizeof(struct io_stats) * UID_STATE_SIZE); + uid_entry_tmp = *uid_entry; + unlock_uid(uid); update_io_stats_uid(&uid_entry_tmp);