Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c33a1b4c authored by c_mtharu's avatar c_mtharu Committed by Gerrit - the friendly Code Review server
Browse files

msm: adsprpc: Fix integer overflow in refcount of map 



Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.

Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: default avatarHimateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: default avatarTharun Kumar Merugu <mtharu@codeaurora.org>
parent d4009ffc

drivers/char/adsprpc.c

+8 −0
Original line number Diff line number Diff line
@@ -479,6 +479,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va, 
			if (va >= map->va &&

				va + len <= map->va + map->len &&

				map->fd == fd) {

				if (map->refs + 1 == INT_MAX) {

					spin_unlock(&me->hlock);

					return -ETOOMANYREFS;

				}

				map->refs++;

				match = map;

				break;
@@ -491,6 +495,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va, 
			if (va >= map->va &&

				va + len <= map->va + map->len &&

				map->fd == fd) {

				if (map->refs + 1 == INT_MAX) {

					spin_unlock(&fl->hlock);

					return -ETOOMANYREFS;

				}

				map->refs++;

				match = map;

				break;