From 0d847c06fec07bf032d415cb74f291885b7336dc Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Tue, 10 Aug 2021 06:47:52 +0000
Subject: [PATCH] msm: camera: sync: Prevent OOB access of sync name

Issue:
strlcpy calls strlen on src ptr. If src is not NULL terminated then OOB
access will occur in below stack.
  strlen
  strlcpy
  cam_sync_init_row
  cam_sync_handle_create
  cam_sync_dev_ioctl

Fix:
Pad user-space supplied name with NULL.

CRs-Fixed: 3010262
Change-Id: Ib5c2fbfe395025ec05e0bb2980f86111e95ff54c
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
 drivers/cam_sync/cam_sync.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/cam_sync/cam_sync.c b/drivers/cam_sync/cam_sync.c
index 3ca4a130c6..476ace5934 100644
--- a/drivers/cam_sync/cam_sync.c
+++ b/drivers/cam_sync/cam_sync.c
@@ -488,6 +488,7 @@ static int cam_sync_handle_create(struct cam_private_ioctl_arg *k_ioctl)
 		u64_to_user_ptr(k_ioctl->ioctl_ptr),
 		k_ioctl->size))
 		return -EFAULT;
+	sync_create.name[SYNC_DEBUG_NAME_LEN] = '\0';
 
 	result = cam_sync_create(&sync_create.sync_obj,
 		sync_create.name);