]> www.infradead.org Git - users/dwmw2/linux.git/commitdiff
projects / users / dwmw2 / linux.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1f5c2b9)
drm: udl: Properly check framebuffer mmap offsets
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 21 Mar 2018 15:45:53 +0000 (16:45 +0100)
committerSasha Levin <alexander.levin@microsoft.com>
Wed, 23 May 2018 01:33:53 +0000 (21:33 -0400)
[ Upstream commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 ]

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
drivers/gpu/drm/udl/udl_fb.c patch | blob | history

diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
index cd8d183dcfe5691cbec8b357b7dba4669c6e51fc..ccb26652198b370085caad137a1e1f97c79f5acc 100644 (file)
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
 {
        unsigned long start = vma->vm_start;
        unsigned long size = vma->vm_end - vma->vm_start;
-       unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+       unsigned long offset;
        unsigned long page, pos;
 
-       if (offset + size > info->fix.smem_len)
+       if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+               return -EINVAL;
+
+       offset = vma->vm_pgoff << PAGE_SHIFT;
+
+       if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
                return -EINVAL;
 
        pos = (unsigned long)info->fix.smem_start + offset;
Unnamed repository; edit this file 'description' to name the repository.