msm: adsprpc: Fix integer overflow in refcount of map
Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX
Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index cd7545a..dea48e1 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -623,8 +623,13 @@
if (va >= map->va &&
va + len <= map->va + map->len &&
map->fd == fd) {
- if (refs)
+ if (refs) {
+ if (map->refs + 1 == INT_MAX) {
+ spin_unlock(&me->hlock);
+ return -ETOOMANYREFS;
+ }
map->refs++;
+ }
match = map;
break;
}
@@ -635,8 +640,11 @@
if (va >= map->va &&
va + len <= map->va + map->len &&
map->fd == fd) {
- if (refs)
+ if (refs) {
+ if (map->refs + 1 == INT_MAX)
+ return -ETOOMANYREFS;
map->refs++;
+ }
match = map;
break;
}