msm: adsprpc: Fix integer overflow in refcount of map

Integer overflow in refcount of map is leading to use after free. Error out if refcount reaches INT_MAX. Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com> Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
author: c_mtharu <mtharu@codeaurora.org> 2019-09-17 12:52:12 +0530
committer: c_mtharu <mtharu@codeaurora.org> 2019-09-17 12:52:12 +0530
commit: fab8f054af1ba6f5026e3807d4fefb009436698e (patch)
tree: a847c9e74557bc1faf1fddf9229889a4ba54b901
parent: 6e94fb15c868d3599ea8cad7f0aa81786b79baaf (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 0e7befd4a146..fd351b921d7d 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -479,6 +479,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&me->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
@@ -491,6 +495,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&fl->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
author	c_mtharu <mtharu@codeaurora.org>	2019-09-17 12:52:12 +0530
committer	c_mtharu <mtharu@codeaurora.org>	2019-09-17 12:52:12 +0530
commit	fab8f054af1ba6f5026e3807d4fefb009436698e (patch)
tree	a847c9e74557bc1faf1fddf9229889a4ba54b901
parent	6e94fb15c868d3599ea8cad7f0aa81786b79baaf (diff)