Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2350301imm;
        Thu, 7 Jun 2018 09:11:03 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJPODXdeetPhy1SxIV3XYxYexLtLefJvd65mFEkL/7ioLHt5TL0O7vjlVK07fPKFq2NT6HC
X-Received: by 2002:a17:902:7d09:: with SMTP id z9-v6mr2640946pll.233.1528387863799;
        Thu, 07 Jun 2018 09:11:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528387863; cv=none;
        d=google.com; s=arc-20160816;
        b=Xsb9wbdtaDaHaHEIOlBeA4uprwgPJWYRhzfiQ2AStGr15coS5NPjR+ciFBZqMkfn8p
         q/cs4HFdcW6BkZ8gMuJoGsIeWaVs1Wu5cEMsTjeGs+b7oEEm+tIKl4hG+COHoqPqrERC
         wmvw45yekXuslndWJ9onQEOECJZzp4KgOE5Z4108Lf6EHrSUUicyAAkAeev6g0Y0/83N
         +jn1daZfbuSShYhTO/r3xYvcGpa0VUsxn59nNQ5Cpm6KudaxLcewMjqQB0oUBvEpHO1F
         5SbflORmUNK/9gn8/hYWtd/xPgd2idIejg97Zdchu5/7iX9jw1eq2nrzH5n2/ygzhAX1
         PoWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=F82V11M97ayg4QS3QhrHbRarUjckzgzXI3Rp/gG45AE=;
        b=wJTtSOKvJBhUAyqSz2B/exgpgF09ssYx9HYv0D1TsLZhhKV0llz5e7+l6d5Xpz7lre
         iLOZZ+K4aLiUOH034HepmJuM2t7FYVwo32ZwOI8ED1+IdlAce6gSiaARI6rT9sO/ZnVb
         sbkHuTeKhI4+u/zW4hDmfp8yb7VnNqp/sJwBwWyz41U9g6s0ZiuV3/ARw+CMTfhKQrME
         /UkAgkhw+mSlyigSYHm53em6AeL5T2Hva+E7UchcBXZqdKnV1TXh8PQQrXDg1X68onUW
         PjTwXbRkB9PZrnn08Zaq4Y8tyPF5MeNjWTCWsejkQiFELMnHKwdSWVorb/azv+u0qQXx
         A8Gw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i11-v6si25406423pgc.350.2018.06.07.09.10.49;
        Thu, 07 Jun 2018 09:11:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935784AbeFGQJM (ORCPT <rfc822;chenhe.dev@gmail.com> + 99 others);
        Thu, 7 Jun 2018 12:09:12 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39209 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932991AbeFGOJC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Jun 2018 10:09:02 -0400
Received: from [148.252.241.226] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvb1-0005Zp-HQ; Thu, 07 Jun 2018 15:08:59 +0100
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvay-0002iV-1b; Thu, 07 Jun 2018 15:08:56 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
        "Eyal Itkin" <eyalit@checkpoint.com>,
        "Daniel Vetter" <daniel.vetter@ffwll.ch>
Date:   Thu, 07 Jun 2018 15:05:21 +0100
Message-ID: <lsq.1528380321.476104605@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 031/410] drm: udl: Properly check framebuffer mmap
 offsets
In-Reply-To: <lsq.1528380320.647747352@decadent.org.uk>
X-SA-Exim-Connect-IP: 148.252.241.226
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.57-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *i
 {
 	unsigned long start = vma->vm_start;
 	unsigned long size = vma->vm_end - vma->vm_start;
-	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+	unsigned long offset;
 	unsigned long page, pos;
 
-	if (offset + size > info->fix.smem_len)
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	offset = vma->vm_pgoff << PAGE_SHIFT;
+
+	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
 		return -EINVAL;
 
 	pos = (unsigned long)info->fix.smem_start + offset;