Received: by 10.213.65.68 with SMTP id h4csp761381imn;
        Fri, 6 Apr 2018 08:27:35 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49prs+wmLkm406tSC4s+drjFPqDBJv0BJgx3K+CzUK5vFDgpj4ev4Oaet0/YDaEicWHgfRz
X-Received: by 10.167.134.70 with SMTP id a6mr4713521pfo.203.1523028455825;
        Fri, 06 Apr 2018 08:27:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523028455; cv=none;
        d=google.com; s=arc-20160816;
        b=F9VzZ5OnaVgK/96LjTftgIPgIC299/Zh+uuFVaGzCU+eUDrM+xhLLBdksike/gYZXy
         dsycZ7igum3Q86c9i3d4YwJ80BdE/1v7oPpiN5vyiqdvAhHcNfJjcZOOGl6MjuJ/CjNx
         vH1wopGYrm6S7R1oCiQglU4QGiXFSSWp6OEE/au+hbgz006PZyevGz0NvZiOaByWj+sD
         B9u/ldPUIlQdxie7ZYDjCyN/7nLwJ/CnSgLHaqXqHhY85kXfNa6pkn7ZopFi/EdXm0tM
         Yoms6IPejJ5z+gF9zTpxNzNmbnXvKFN5u6rJgk8w3l2JLHxerAgEeqWkMHMZ3CEf5G7+
         qhow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=mE2z0BNCg9V0Pr6r09h+tN+ZHBAo6YgfJHVMbvOT+Xc=;
        b=YiXS/fhTyWevzWnfXGEjxPAQ1F9H3yJhpdZ8qBBcSWBFodNh4oCpO12xZzF87PipSB
         aFuFqYXSH4jjO4pQk2Up/ElTPfPmv/1ojcmqhVRbpEtjTJjIPNX9ZP5X18ohq3WuAr+x
         EX2a13fiebuFTlzxmSvvR9WbxF3lPtshlJMjJSQEeXmiG7zg9yQqan89i4QE7BSLoSiw
         HgmWhhlmAWwXgTnGygmDiESKrnQYQXCc+VwCPYLxC18ZveoQJyWl8l6Ah1soKtqlygGk
         5vVN7tFK+fePbRyGSTl79+9FrYG6NV1B74saXDYsU6aJGhVV2q2DUo9Gb7zn4vr5W3Ta
         VEfw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u8-v6si8598800plh.469.2018.04.06.08.26.58;
        Fri, 06 Apr 2018 08:27:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752859AbeDFPX7 (ORCPT <rfc822;tuxbino@gmail.com> + 99 others);
        Fri, 6 Apr 2018 11:23:59 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:54864 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754100AbeDFN1H (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 09:27:07 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id C2DEA5AC;
        Fri,  6 Apr 2018 13:27:06 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eyal Itkin <eyalit@checkpoint.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: [PATCH 3.18 12/93] drm: udl: Properly check framebuffer mmap offsets
Date:   Fri,  6 Apr 2018 15:22:41 +0200
Message-Id: <20180406084225.501275097@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180406084224.918716300@linuxfoundation.org>
References: <20180406084224.918716300@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/udl/udl_fb.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *i
 {
 	unsigned long start = vma->vm_start;
 	unsigned long size = vma->vm_end - vma->vm_start;
-	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+	unsigned long offset;
 	unsigned long page, pos;
 
-	if (offset + size > info->fix.smem_len)
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	offset = vma->vm_pgoff << PAGE_SHIFT;
+
+	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
 		return -EINVAL;
 
 	pos = (unsigned long)info->fix.smem_start + offset;