evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: adsprpc: Fix integer overflow in refcount of map

Browse source 
Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.

Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
This commit is contained in:
c_mtharu 2019-09-17 12:52:12 +05:30
parent 6e94fb15c8
commit fab8f054af
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
drivers/char/adsprpc.c
View file

@ -479,6 +479,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
if (va >= map->va && if (va >= map->va &&
va + len <= map->va + map->len && va + len <= map->va + map->len &&
map->fd == fd) { map->fd == fd) {
if (map->refs + 1 == INT_MAX) {
spin_unlock(&me->hlock);
return -ETOOMANYREFS;
}
map->refs++; map->refs++;
match = map; match = map;
break; break;
@ -491,6 +495,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
if (va >= map->va && if (va >= map->va &&
va + len <= map->va + map->len && va + len <= map->va + map->len &&
map->fd == fd) { map->fd == fd) {
if (map->refs + 1 == INT_MAX) {
spin_unlock(&fl->hlock);
return -ETOOMANYREFS;
}
map->refs++; map->refs++;
match = map; match = map;
break; break;