Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 807609c3 authored by Trishansh Bhardwaj's avatar Trishansh Bhardwaj Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: sync: Prevent OOB access of sync name 



Issue:
strlcpy calls strlen on src ptr. If src is not NULL terminated then OOB
access will occur in below stack.
  strlen
  strlcpy
  cam_sync_init_row
  cam_sync_handle_create
  cam_sync_dev_ioctl

Fix:
Pad user-space supplied name with NULL.

CRs-Fixed: 3010262
Change-Id: Ib5c2fbfe395025ec05e0bb2980f86111e95ff54c
Signed-off-by: default avatarTrishansh Bhardwaj <tbhardwa@codeaurora.org>
parent 0d649632

drivers/cam_sync/cam_sync.c

+2 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.

 */



#include <linux/init.h>
@@ -469,6 +469,7 @@ static int cam_sync_handle_create(struct cam_private_ioctl_arg *k_ioctl) 
		u64_to_user_ptr(k_ioctl->ioctl_ptr),

		k_ioctl->size))

		return -EFAULT;

	sync_create.name[SYNC_DEBUG_NAME_LEN] = '\0';



	result = cam_sync_create(&sync_create.sync_obj,

		sync_create.name);