Commit 92d3ba8b authored Sep 24, 2025 by Richard Chang Committed by David Stevens Oct 16, 2025

ANDROID: zram: ioctl: Ignore swap entries from other devices



The zram_process_walker() iterates over a process's page tables to
identify swap entries backed by a zram device for writeback. It
extracts the offset from each swap entry to locate the corresponding
page in the zram device.

A process can have pages swapped out to multiple different swap devices.
The walker did not verify that a found swap entry actually belongs to
the zram device being operated on.

If the walker encounters a swap entry from a different swap device, it
could use an offset that is larger than the current zram device's size,
leading to an out-of-bounds memory access.

Fix this by first checking that the swap entry's backing device matches
the current zram device. Then, add a range check to ensure the offset is
within the valid range before using it.

Bug: 447017656
Change-Id: Ic74688f21b7cd96408bfdfd2fe1a0acac52517da
Signed-off-by: Richard Chang <richardycc@google.com>
(cherry picked from commit 85036a95)
Bug: 446676432
Signed-off-by: David Stevens <stevensd@google.com>

parent bc60d1da

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 8979fee4
· Nov 05, 2025

mentioned in commit 8979fee4

mentioned in commit 8979fee435bfd762771c71f3cf99f6f279038337

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 6b6ffe2c
· Nov 05, 2025

mentioned in commit 6b6ffe2c

mentioned in commit 6b6ffe2c091924ce45dff6afb5304312a64ed6f0

Toggle commit list

Please to comment