Received: by 10.213.65.68 with SMTP id h4csp828043imn;
        Tue, 27 Mar 2018 09:30:56 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtfZVWQYPImaRwKCKUTUIqjZlluRc31G7nIy1tb4gHHN5hMb4WAEiwQ3rzDAJ5zj40eLWTU
X-Received: by 10.99.67.1 with SMTP id q1mr32032655pga.365.1522168256697;
        Tue, 27 Mar 2018 09:30:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522168256; cv=none;
        d=google.com; s=arc-20160816;
        b=faxzp8oRigzg179EuIMWxKn4QTuf5U4uWiWwQsUnRWqbu02301JDsl65RR1P7mNT0k
         hl3XFcf0txTBNGujV/eYMvC7MkGNwSN53H36K8h59qT5KRGey1Ujw6lwEwJGVwhBRYEG
         3MHDmG+dIdUSu0Lb0Gj45sQ0iAdgMLcm9PES2Rs2LPN4obyEUrd2CFQy3c6nKTGjmqhw
         xj7YOZ6toBxreQR43O4zjFjRDtU6sDe5clMH2QgLuG7ZWtDdz7/ZFOqeULGelg1WzHkM
         O0rn3Ek0LG0nu248QC2ACm0RnlV4dfWSZk6CefaqD5/F5ND+iR9hJCXtFjnQLurhC8ma
         gJiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=tbnW3oftQClMxtFVidroh86tEg9FWvSrNAlMfmz1oXw=;
        b=qzenCdAoAvB5BVIQG57ZYjOEn78nnBZ0U8CyFG2rjaEqBlCv8GvaM8QEucNwa1Ijhf
         NSB3ZtL0YC4kbsr5Enaj5KS0h21i2WbRJYp+5V/CxaaFVRhYWxWi3KaE+Y/1GZaKYkaM
         JIWVQwZwX796s2BmyPixImvnCg/SNYbYvEpe57MbvmabEArMXeQefA9q+QgxhZNZ89zv
         cccBlR5N0OmFG3zhlriLFqfcYd4rRACKgnwn6KyP1GTswmQDxQYwemHm8ePokVZ0J6UN
         vVZuu9KmcWWZdGbNqWBxlx834bVmXLJ3U/W7U1nlIHlw3UUIymeWIcVjNwNMWzW+nAx6
         B2EQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 91-v6si1651500pld.396.2018.03.27.09.30.42;
        Tue, 27 Mar 2018 09:30:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752613AbeC0Q3X (ORCPT <rfc822;saikripd@gmail.com> + 99 others);
        Tue, 27 Mar 2018 12:29:23 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:41294 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751824AbeC0Q3T (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Mar 2018 12:29:19 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 427C910B8;
        Tue, 27 Mar 2018 16:29:19 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eyal Itkin <eyalit@checkpoint.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: [PATCH 4.4 24/43] drm: udl: Properly check framebuffer mmap offsets
Date:   Tue, 27 Mar 2018 18:27:28 +0200
Message-Id: <20180327162717.780955346@linuxfoundation.org>
X-Mailer: git-send-email 2.16.3
In-Reply-To: <20180327162716.407986916@linuxfoundation.org>
References: <20180327162716.407986916@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/udl/udl_fb.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *i
 {
 	unsigned long start = vma->vm_start;
 	unsigned long size = vma->vm_end - vma->vm_start;
-	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+	unsigned long offset;
 	unsigned long page, pos;
 
-	if (offset + size > info->fix.smem_len)
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	offset = vma->vm_pgoff << PAGE_SHIFT;
+
+	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
 		return -EINVAL;
 
 	pos = (unsigned long)info->fix.smem_start + offset;