tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm: udl: Properly check framebuffer mmap offsets

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values. Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com

authored by

Greg Kroah-Hartman and committed by
Daniel Vetter 3b82a4db b24791fe

+7 -2
+7 -2
drivers/gpu/drm/udl/udl_fb.c
··· 159 159 { 160 160 unsigned long start = vma->vm_start; 161 161 unsigned long size = vma->vm_end - vma->vm_start; 162 - unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 162 + unsigned long offset; 163 163 unsigned long page, pos; 164 164 165 - if (offset + size > info->fix.smem_len) 165 + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) 166 + return -EINVAL; 167 + 168 + offset = vma->vm_pgoff << PAGE_SHIFT; 169 + 170 + if (offset > info->fix.smem_len || size > info->fix.smem_len - offset) 166 171 return -EINVAL; 167 172 168 173 pos = (unsigned long)info->fix.smem_start + offset;