DivestOS/Patches/Linux_CVEs/CVE-2017-0746/ANY/0001.patch

44 lines
1.3 KiB
Diff
Raw Normal View History

From a793531b751d8c3609e2bf1a5dc2c0f10e003632 Mon Sep 17 00:00:00 2001
From: Utkarsh Saxena <usaxena@codeaurora.org>
Date: Tue, 25 Apr 2017 17:39:41 +0530
Subject: [PATCH] msm: ipa: Fix for missing int overflow check in the refcount
library
Overflow of reference counter can lead to memory leak.
Before incrementing the reference count, check with
U32_MAX and return for error check.
Bug: 35467471
Change-Id: Ib96d36574ee086ec73c9836110cb2c98e8ae3d66
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
---
drivers/platform/msm/ipa/ipa_rt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/platform/msm/ipa/ipa_rt.c b/drivers/platform/msm/ipa/ipa_rt.c
index 47767cdafa70f..81c6331da8a54 100644
--- a/drivers/platform/msm/ipa/ipa_rt.c
+++ b/drivers/platform/msm/ipa/ipa_rt.c
@@ -1289,6 +1289,10 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
mutex_lock(&ipa_ctx->lock);
entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);
if (entry && entry->cookie == IPA_COOKIE) {
+ if (entry->ref_cnt == ((u32)~0U)) {
+ IPAERR("fail: ref count crossed limit\n");
+ goto ret;
+ }
entry->ref_cnt++;
lookup->hdl = entry->id;
@@ -1298,6 +1302,8 @@ int ipa_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup)
result = 0;
}
+
+ret:
mutex_unlock(&ipa_ctx->lock);
return result;