samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

msm: camera: sync: Prevent OOB access of sync name

Browse Source 
Issue:
strlcpy calls strlen on src ptr. If src is not NULL terminated then OOB
access will occur in below stack.
  strlen
  strlcpy
  cam_sync_init_row
  cam_sync_handle_create
  cam_sync_dev_ioctl

Fix:
Pad user-space supplied name with NULL.

CRs-Fixed: 3010262
Change-Id: Ib5c2fbfe395025ec05e0bb2980f86111e95ff54c
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
This commit is contained in:
Trishansh Bhardwaj
2021-08-10 06:47:52 +00:00
committed by Gerrit - the friendly Code Review server
parent 110420ce29
commit 0d847c06fe
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/cam_sync/cam_sync.c
View File

@@ -488,6 +488,7 @@ static int cam_sync_handle_create(struct cam_private_ioctl_arg *k_ioctl)
u64_to_user_ptr(k_ioctl->ioctl_ptr), u64_to_user_ptr(k_ioctl->ioctl_ptr),
k_ioctl->size)) k_ioctl->size))
return -EFAULT; return -EFAULT;
sync_create.name[SYNC_DEBUG_NAME_LEN] = '\0';
result = cam_sync_create(&sync_create.sync_obj, result = cam_sync_create(&sync_create.sync_obj,
sync_create.name); sync_create.name);