Merge "msm: camera: flash: Copy flash info to avoid TOCTOU" into camera-kernel.qclinux.1.0

Author: Camera Software Integration

camera/drivers/cam_sensor_module/cam_flash/cam_flash_core.c

@@ -1312,6 +1312,7 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 	struct cam_req_mgr_add_request add_req = {0};
 	struct cam_flash_init *cam_flash_info = NULL;
 	struct cam_flash_set_rer *flash_rer_info = NULL;
+	struct cam_flash_set_rer *flash_rer_info_u = NULL;
 	struct cam_flash_set_on_off *flash_operation_info = NULL;
 	struct cam_flash_set_on_off *flash_operation_info_u = NULL;
 	struct cam_flash_query_curr *flash_query_info = NULL;
@@ -1786,21 +1787,47 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 				cam_mem_put_cpu_buf(config.packet_handle);
 				return rc;
 			}
-			flash_rer_info = (struct cam_flash_set_rer *)cmd_buf;
-			if (!flash_rer_info) {
+			flash_rer_info_u = (struct cam_flash_set_rer *)cmd_buf;
+			if (!flash_rer_info_u) {
 				CAM_ERR(CAM_FLASH,
 					"flash_rer_info Null");
 				rc = -EINVAL;
 				cam_mem_put_cpu_buf(cmd_desc->mem_handle);
 				cam_mem_put_cpu_buf(config.packet_handle);
 				return rc;
 			}
+
+			count = flash_rer_info_u->count;
+			rc = cam_common_mem_kdup((void**)&flash_rer_info,
+				flash_rer_info_u,
+				sizeof(struct cam_flash_set_rer));
+
+			if(rc) {
+				CAM_ERR(CAM_FLASH, "Alloc and copy flash operation info failed");
+				break;
+			}
+
+			if (!flash_rer_info) {
+				CAM_ERR(CAM_FLASH, "Memory allocation for flash_rer_info failed");
+				rc = -ENOMEM;
+				break;
+			}
+
+			if (count != flash_rer_info->count) {
+				CAM_ERR(CAM_FLASH, "Count changed: userspace: %d, kernel: %d",
+					count, flash_rer_info->count);
+				rc = -EINVAL;
+				cam_common_mem_free(flash_rer_info);
+				break;
+			}
+
 			if (flash_rer_info->count >
 				CAM_FLASH_MAX_LED_TRIGGERS) {
 				CAM_ERR(CAM_FLASH, "led count out of limit");
 				rc = -EINVAL;
 				cam_mem_put_cpu_buf(cmd_desc->mem_handle);
 				cam_mem_put_cpu_buf(config.packet_handle);
+				cam_common_mem_free(flash_rer_info);
 				return rc;
 			}
 
@@ -1826,6 +1853,7 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 					rc);
 			cam_mem_put_cpu_buf(cmd_desc->mem_handle);
 			cam_mem_put_cpu_buf(config.packet_handle);
+			cam_common_mem_free(flash_rer_info);
 			return rc;
 		}
 		default:

camera_kt/drivers/cam_sensor_module/cam_flash/cam_flash_core.c

@@ -1397,6 +1397,7 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 	struct cam_req_mgr_add_request add_req = {0};
 	struct cam_flash_init *cam_flash_info = NULL;
 	struct cam_flash_set_rer *flash_rer_info = NULL;
+	struct cam_flash_set_rer *flash_rer_info_u = NULL;
 	struct cam_flash_set_on_off *flash_operation_info = NULL;
 	struct cam_flash_set_on_off *flash_operation_info_u = NULL;
 	struct cam_flash_query_curr *flash_query_info = NULL;
@@ -1824,16 +1825,42 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 				rc = -EINVAL;
 				return rc;
 			}
-			flash_rer_info = (struct cam_flash_set_rer *)cmd_buf;
-			if (!flash_rer_info) {
+			flash_rer_info_u = (struct cam_flash_set_rer *)cmd_buf;
+			if (!flash_rer_info_u) {
 				CAM_ERR(CAM_FLASH,
 					"flash_rer_info Null");
 				rc = -EINVAL;
 				return rc;
 			}
+
+                        count = flash_rer_info_u->count;
+                        rc = cam_common_mem_kdup((void**)&flash_rer_info,
+                                flash_rer_info_u,
+                                sizeof(struct cam_flash_set_rer));
+
+                        if(rc) {
+                                CAM_ERR(CAM_FLASH, "Alloc and copy flash operation info failed");
+                                break;
+                        }
+
+                        if (!flash_rer_info) {
+                                CAM_ERR(CAM_FLASH, "Memory allocation for flash_rer_info failed");
+                                rc = -ENOMEM;
+                                break;
+                        }
+
+                        if (count != flash_rer_info->count) {
+                                CAM_ERR(CAM_FLASH, "Count changed: userspace: %d, kernel: %d",
+                                        count, flash_rer_info->count);
+                                rc = -EINVAL;
+                                cam_common_mem_free(flash_rer_info);
+                                break;
+                        }
+
 			if (flash_rer_info->count >
 				CAM_FLASH_MAX_LED_TRIGGERS) {
 				CAM_ERR(CAM_FLASH, "led count out of limit");
+				cam_common_mem_free(flash_rer_info);
 				rc = -EINVAL;
 				return rc;
 			}
@@ -1858,6 +1885,7 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 			if (rc)
 				CAM_ERR(CAM_FLASH, "apply_setting failed: %d",
 					rc);
+			cam_common_mem_free(flash_rer_info);
 			return rc;
 		}
 		default: