msm: adsprpc: Fix integer overflow in refcount of map

c_mtharu · jb-essential · commit 8859e3c7e4ca · 2019-12-03T08:32:25.000+09:00
Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.

Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: Himateja Reddy &lt;hmreddy@qti.qualcomm.com&gt;
Signed-off-by: Tharun Kumar Merugu &lt;mtharu@codeaurora.org&gt;
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
@@ -432,6 +432,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&fl->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
@@ -444,6 +448,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
 			if (va >= map->va &&
 				va + len <= map->va + map->len &&
 				map->fd == fd) {
+				if (map->refs + 1 == INT_MAX) {
+					spin_unlock(&me->hlock);
+					return -ETOOMANYREFS;
+				}
 				map->refs++;
 				match = map;
 				break;
