On Sun, Dec 01, 2013 at 01:10:06PM +0100, Pavel Machek wrote:
> diff --git a/drivers/staging/tidspbridge/rmgr/drv_interface.c b/drivers/staging/tidspbridge/rmgr/drv_interface.c
> index 1aa4a3f..a8e86cf 100644
> --- a/drivers/staging/tidspbridge/rmgr/drv_interface.c
> +++ b/drivers/staging/tidspbridge/rmgr/drv_interface.c
> @@ -258,7 +258,17 @@ err:
> /* This function maps kernel space memory to user space memory. */
> static int bridge_mmap(struct file *filp, struct vm_area_struct *vma)
> {
> - u32 status;
> + int status;
> + struct omap_dsp_platform_data *pdata =
> + omap_dspbridge_dev->dev.platform_data;
> + unsigned long start = vma->vm_pgoff << PAGE_SHIFT;
> +
> + if (start < pdata->phys_mempool_base)
> + return -EINVAL;
> +
> + if (vma->vm_end - vma->vm_start + (start - pdata->phys_mempool_base)
> + > pdata->phys_mempool_size)
This test is vulnerable to integer overflows if you pick a very high
value for start. Consider using the vm_iomap_memory() helper function
instead of calling remap_pfn_range() directly. Commit 7314e613d5ff
('Fix a few incorrectly checked [io_]remap_pfn_range() calls') has an
example of how the conversion works.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html