msm: adsprpc: Fix integer overflow in refcount of map Integer overflow in refcount of map is leading to use after free. Error out if refcount reaches INT_MAX Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com> Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

commit: 496ad3440461aff8eb27e264b34cee0a9b6678a7 [log] [tgz]
author: Tharun Kumar Merugu <mtharu@codeaurora.org> Thu Jun 06 15:01:42 2019 +0530
committer: Tharun Kumar Merugu <mtharu@codeaurora.org> Mon Jun 17 20:10:59 2019 +0530
tree: fbe69eaecc0cbf1667af2e79109812840494f31d
parent: 3541909b95792dbd2462c1d39b074abee482b20b [diff] [blame]
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index cd7545a..dea48e1 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c

@@ -623,8 +623,13 @@
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
-				if (refs)
+				if (refs) {
+					if (map->refs + 1 == INT_MAX) {
+						spin_unlock(&me->hlock);
+						return -ETOOMANYREFS;
+					}
 					map->refs++;
+				}
 				match = map;
 				break;
 			}
@@ -635,8 +640,11 @@
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
-				if (refs)
+				if (refs) {
+					if (map->refs + 1 == INT_MAX)
+						return -ETOOMANYREFS;
 					map->refs++;
+				}
 				match = map;
 				break;
 			}
commit	496ad3440461aff8eb27e264b34cee0a9b6678a7	[log] [tgz]
author	Tharun Kumar Merugu <mtharu@codeaurora.org>	Thu Jun 06 15:01:42 2019 +0530
committer	Tharun Kumar Merugu <mtharu@codeaurora.org>	Mon Jun 17 20:10:59 2019 +0530
tree	fbe69eaecc0cbf1667af2e79109812840494f31d
parent	3541909b95792dbd2462c1d39b074abee482b20b [diff] [blame]