msm: adsprpc: Fix integer overflow in refcount of map

Integer overflow in refcount of map is leading to use after free. Error out if refcount reaches INT_MAX. Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com> Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
EssentialOpenSource · Dec 2, 2019 · 8859e3c · 8859e3c
1 parent fbd2d45
commit 8859e3c
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
@@ -432,6 +432,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&fl->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
@@ -444,6 +448,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&me->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;