Received: by 10.213.65.68 with SMTP id h4csp859003imn;
        Tue, 27 Mar 2018 10:04:40 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/9XdTCCblzflc8Oa3/v9Vdjh3p+cmElbLMJZs32g2ywudmqj9GNhDqJS7ZD+24D0NUO/h1
X-Received: by 10.99.124.14 with SMTP id x14mr94995pgc.290.1522170280016;
        Tue, 27 Mar 2018 10:04:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522170279; cv=none;
        d=google.com; s=arc-20160816;
        b=lNsVlANdcIe4v7rNQwNQve2CHpXkaA+7r24s4JwGp8fOke5iA3OA5JdQTPOBFMolTI
         V7QYUPe7sNQJeJginsmQjajpyweYbHT3RneCxB65kzDS46Qq44mlsRklB3OUR+kje1Jf
         q3zOqvfHPZDQoN0tMTALdFYXMd/X1uAtvIdPMca3rNLFsN2R/yoCOHzqwiT2yI5By+4H
         bJ/67TwvMjtpNu2pN0sc6RaLsmcVo5VDfsuE1xaV62vtyCNAFA+R/EoFKidT8qei9sUe
         NIN62U+5h2Nk2ckdXutKL3hnUOEAi35SqJ/VAgwcTwjKs81j8Dy8muN1v/t6WI7qXPTi
         nGOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=pUwsRkExcLckLtpVONmpsYC01McNmWGIyIm61kZfSOY=;
        b=mKiYCxWrjVvvVX0DQEjSqN6Q9IajN1LYJjcscPPOaaV3VjtMwK51i/kk0YJUeReGW1
         gq1DhaTNSB57bvVlcOukyvFvMtFL8iiC8vfzCntI/AJR5ItZD3G93hHKfeJjDqe2Ozh7
         66fWiL7bOC9cByaHfknjIhNbibEacnYCtJnhdUejDg+tvFcoI4lHjSi3vxya/iWWDVx2
         vrwnI2H2J4kfZ6w/OJtVPmxs5EfIaItM8fdww/qL7SdnyJ4mKmvIyZsLG9Wi4xU/DFi2
         F5r+iHOwEdtdbo5ThWnzSFclcq4ufxe1QbK8dW+qSLeAW3JeO5CLSPodTIBOIKU2WSkj
         ozXA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q3si1114955pgc.197.2018.03.27.10.04.23;
        Tue, 27 Mar 2018 10:04:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755547AbeC0RCg (ORCPT <rfc822;saikripd@gmail.com> + 99 others);
        Tue, 27 Mar 2018 13:02:36 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:48612 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932218AbeC0QlJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Mar 2018 12:41:09 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id DD9CF7A8;
        Tue, 27 Mar 2018 16:41:08 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eyal Itkin <eyalit@checkpoint.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: [PATCH 4.15 061/105] drm: udl: Properly check framebuffer mmap offsets
Date:   Tue, 27 Mar 2018 18:27:41 +0200
Message-Id: <20180327162801.325325885@linuxfoundation.org>
X-Mailer: git-send-email 2.16.3
In-Reply-To: <20180327162757.813009222@linuxfoundation.org>
References: <20180327162757.813009222@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/udl/udl_fb.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -159,10 +159,15 @@ static int udl_fb_mmap(struct fb_info *i
 {
 	unsigned long start = vma->vm_start;
 	unsigned long size = vma->vm_end - vma->vm_start;
-	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+	unsigned long offset;
 	unsigned long page, pos;
 
-	if (offset + size > info->fix.smem_len)
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	offset = vma->vm_pgoff << PAGE_SHIFT;
+
+	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
 		return -EINVAL;
 
 	pos = (unsigned long)info->fix.smem_start + offset;