On Wed, Mar 21, 2018 at 04:45:53PM +0100, Greg Kroah-Hartman wrote:
> The memmap options sent to the udl framebuffer driver were not being
> checked for all sets of possible crazy values. Fix this up by properly
> bounding the allowed values.
>
> Reported-by: Eyal Itkin <eyalit@xxxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Applied to drm-misc-fixes, thanks for the patch.
Does anyone working on overflow-proof integers? That would make a lot of
this code so much simpler if we could just ask the compiler to carry the
oferflow bit around for a given expression and then check that and bail
with -EINVAL.
-Daniel
>
> diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
> index b5b335c9b2bb..2ebdc6d5a76e 100644
> --- a/drivers/gpu/drm/udl/udl_fb.c
> +++ b/drivers/gpu/drm/udl/udl_fb.c
> @@ -159,10 +159,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
> {
> unsigned long start = vma->vm_start;
> unsigned long size = vma->vm_end - vma->vm_start;
> - unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> + unsigned long offset;
> unsigned long page, pos;
>
> - if (offset + size > info->fix.smem_len)
> + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
> + return -EINVAL;
> +
> + offset = vma->vm_pgoff << PAGE_SHIFT;
> +
> + if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
> return -EINVAL;
>
> pos = (unsigned long)info->fix.smem_start + offset;
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
