Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1545791pxb; Thu, 16 Sep 2021 09:38:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyO/M94fh5eQLn+x7Snuwa+obolD/EXnPKX1+IMjouUNWC3R1US9mw48y8OQFAvDry7WTes X-Received: by 2002:a02:7b01:: with SMTP id q1mr5092190jac.81.1631810291851; Thu, 16 Sep 2021 09:38:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631810291; cv=none; d=google.com; s=arc-20160816; b=0YGN++msbytsyyY5bEU1QUqNMqKB/ozhasCi5GIcWMiuHrGu45vq7K5bNVZB7i7n2c M5WjjcHr7MF1l64Zfv7RVuNRj/LPtEVutWEciO7eyj/Bv9u0igxojyfX88wJ4aByXr9r wvHA1MwZPEVdTfvmOY6ql5bwd9a2z3f0tt+5bpjyW47b0Iu1WZ896jmNxrXxRaRmjput 8I78jnilyEs1Ig7vwiVYsvB9cjRNuNeYeb2FdeNR8XHOxLuRv80ao/VOH32pmqZPJonC FcCbXCD6j/JzXwkY3SVlTuFcNPHkwp6TvwDKxkkp5puuMcmckFcrx8cD1b3b7egM/Q+y jPkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ddy5UbL9GRm7lxImvjl26UbAgoc/x6ztjXJDAYd5WGY=; b=P5FfKBDhE0AJjL2NUa9YuOnn3rcW0Gnuzby5hQ5zKa0C9DqI3ac1E05FE5Kz1Kcgi7 6UcEDhkHAh1julpTLjNeQ/c9fnWUrEtatE8WIwtSTj03hNCZYn+rAtaEhjaQIBwD9Jio zGtO5Vu1FruTx2UCEQnZtWYSZRbQi137eWL1wuB9F3QtMOw81+HNcUv4Xhl1b/a7hQ9u BIEiFTc4U75UNZGrAU5lGabXid1OVjBpoQreJYzQ4jT/IWRoWky4N2qlumIiBJNGbK1O FvP78O9Rb7RxetwUKdjXwOMvw+3UEyZyj7sDuHCZYf88Cm4UAAfMRB5D509RWy52dn2h 5p3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GVvFP9Sz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v4si3458041ilc.20.2021.09.16.09.38.00; Thu, 16 Sep 2021 09:38:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GVvFP9Sz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243584AbhIPQgY (ORCPT + 99 others); Thu, 16 Sep 2021 12:36:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:37484 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242035AbhIPQ3I (ORCPT ); Thu, 16 Sep 2021 12:29:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C79526135D; Thu, 16 Sep 2021 16:18:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631809096; bh=9ys4q/Cq6uxiYo0LVkXwRkBOrR9jLBigOEKO29P6kHo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GVvFP9SzO5N0zAznFv/2vW6B7DhrlPQOXs0LfieTaJSc/rgyZlD2W0YqHrK6lP7p/ 1aIF5mEtTSKlmR0jNqIAbTPcdw+Mp0iZtaJ/PeDx8uaGzIS2Bl9VwDkX4edw3DcMH3 Hx0fBJ2BRWKbk6hv+P3rIzQXWwQ1Mop5BWHEkX4Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Iwona Winiarska , Andrew Jeffery , Joel Stanley , Joel Stanley Subject: [PATCH 5.13 029/380] soc: aspeed: p2a-ctrl: Fix boundary check for mmap Date: Thu, 16 Sep 2021 17:56:26 +0200 Message-Id: <20210916155804.954500417@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155803.966362085@linuxfoundation.org> References: <20210916155803.966362085@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Iwona Winiarska commit 8b07e990fb254fcbaa919616ac77f981cb48c73d upstream. The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver. Fixes: 01c60dcea9f7 ("drivers/misc: Add Aspeed P2A control driver") Cc: stable@vger.kernel.org Signed-off-by: Iwona Winiarska Reviewed-by: Andrew Jeffery Tested-by: Andrew Jeffery Reviewed-by: Joel Stanley Signed-off-by: Joel Stanley Signed-off-by: Greg Kroah-Hartman --- drivers/soc/aspeed/aspeed-p2a-ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/soc/aspeed/aspeed-p2a-ctrl.c +++ b/drivers/soc/aspeed/aspeed-p2a-ctrl.c @@ -110,7 +110,7 @@ static int aspeed_p2a_mmap(struct file * vsize = vma->vm_end - vma->vm_start; prot = vma->vm_page_prot; - if (vma->vm_pgoff + vsize > ctrl->mem_base + ctrl->mem_size) + if (vma->vm_pgoff + vma_pages(vma) > ctrl->mem_size >> PAGE_SHIFT) return -EINVAL; /* ast2400/2500 AHB accesses are not cache coherent */