Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0a037dde authored by Tharun Kumar Merugu's avatar Tharun Kumar Merugu
Browse files

msm: adsprpc: Fix integer overflow in refcount of map 



Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.

Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: default avatarHimateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: default avatarTharun Kumar Merugu <mtharu@codeaurora.org>
parent d3d6e9be

drivers/char/adsprpc.c

+10 −2
Original line number Original line Diff line number Diff line
@@ -609,8 +609,13 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, 
			if (va >= map->va &&

			if (va >= map->va &&

				va + len <= map->va + map->len &&

				va + len <= map->va + map->len &&

				map->fd == fd) {

				map->fd == fd) {

				if (refs)

				if (refs) {

					if (map->refs + 1 == INT_MAX) {

						spin_unlock(&me->hlock);

						return -ETOOMANYREFS;

					}

					map->refs++;

					map->refs++;

				}

				match = map;

				match = map;

				break;

				break;

			}

			}
@@ -621,8 +626,11 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, 
			if (va >= map->va &&

			if (va >= map->va &&

				va + len <= map->va + map->len &&

				va + len <= map->va + map->len &&

				map->fd == fd) {

				map->fd == fd) {

				if (refs)

				if (refs) {

					if (map->refs + 1 == INT_MAX)

						return -ETOOMANYREFS;

					map->refs++;

					map->refs++;

				}

				match = map;

				match = map;

				break;

				break;

			}

			}