On Wed, Mar 21, 2018 at 04:45:53PM +0100, Greg Kroah-Hartman wrote:
The memmap options sent to the udl framebuffer driver were not being checked for all sets of possible crazy values. Fix this up by properly bounding the allowed values.
Reported-by: Eyal Itkin eyalit@checkpoint.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Applied to drm-misc-fixes, thanks for the patch.
Does anyone working on overflow-proof integers? That would make a lot of this code so much simpler if we could just ask the compiler to carry the oferflow bit around for a given expression and then check that and bail with -EINVAL. -Daniel
diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c index b5b335c9b2bb..2ebdc6d5a76e 100644 --- a/drivers/gpu/drm/udl/udl_fb.c +++ b/drivers/gpu/drm/udl/udl_fb.c @@ -159,10 +159,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) { unsigned long start = vma->vm_start; unsigned long size = vma->vm_end - vma->vm_start;
- unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
- unsigned long offset; unsigned long page, pos;
- if (offset + size > info->fix.smem_len)
if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
return -EINVAL;offset = vma->vm_pgoff << PAGE_SHIFT;
if (offset > info->fix.smem_len || size > info->fix.smem_len - offset) return -EINVAL;
pos = (unsigned long)info->fix.smem_start + offset;