Commit 85036a95 authored Sep 24, 2025 by Richard Chang

ANDROID: zram: ioctl: Ignore swap entries from other devices



The zram_process_walker() iterates over a process's page tables to
identify swap entries backed by a zram device for writeback. It
extracts the offset from each swap entry to locate the corresponding
page in the zram device.

A process can have pages swapped out to multiple different swap devices.
The walker did not verify that a found swap entry actually belongs to
the zram device being operated on.

If the walker encounters a swap entry from a different swap device, it
could use an offset that is larger than the current zram device's size,
leading to an out-of-bounds memory access.

Fix this by first checking that the swap entry's backing device matches
the current zram device. Then, add a range check to ensure the offset is
within the valid range before using it.

Bug: 447017656
Change-Id: Ic74688f21b7cd96408bfdfd2fe1a0acac52517da
Signed-off-by: Richard Chang <richardycc@google.com>

parent e4e7aec4

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 04ec5c06
· Nov 05, 2025

mentioned in commit 04ec5c06

mentioned in commit 04ec5c06e141d232680c043d51234506d2e9d90f

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 92d3ba8b
· Nov 05, 2025

mentioned in commit 92d3ba8b

mentioned in commit 92d3ba8bbda097db9fb0021b4a868883961918fb

Toggle commit list

Please to comment