Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0a037dde authored by Tharun Kumar Merugu's avatar Tharun Kumar Merugu
Browse files

msm: adsprpc: Fix integer overflow in refcount of map



Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.

Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: default avatarHimateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: default avatarTharun Kumar Merugu <mtharu@codeaurora.org>
parent d3d6e9be
Loading
Loading
Loading
Loading
+10 −2
Original line number Original line Diff line number Diff line
@@ -609,8 +609,13 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd,
			if (va >= map->va &&
			if (va >= map->va &&
				va + len <= map->va + map->len &&
				va + len <= map->va + map->len &&
				map->fd == fd) {
				map->fd == fd) {
				if (refs)
				if (refs) {
					if (map->refs + 1 == INT_MAX) {
						spin_unlock(&me->hlock);
						return -ETOOMANYREFS;
					}
					map->refs++;
					map->refs++;
				}
				match = map;
				match = map;
				break;
				break;
			}
			}
@@ -621,8 +626,11 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd,
			if (va >= map->va &&
			if (va >= map->va &&
				va + len <= map->va + map->len &&
				va + len <= map->va + map->len &&
				map->fd == fd) {
				map->fd == fd) {
				if (refs)
				if (refs) {
					if (map->refs + 1 == INT_MAX)
						return -ETOOMANYREFS;
					map->refs++;
					map->refs++;
				}
				match = map;
				match = map;
				break;
				break;
			}
			}