drm: udl: Properly check framebuffer mmap offsets

The memmap options sent to the udl framebuffer driver were not being checked for all sets of possible crazy values. Fix this up by properly bounding the allowed values. Reported-by: Eyal Itkin <eyalit@checkpoint.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-03-21 11:45:53 -0400
committer: Daniel Vetter <daniel.vetter@ffwll.ch> 2018-03-22 02:59:01 -0400
commit: 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 (patch)
tree: d3b7f0f528c93bad7f2ab77e18d19322e5a165a6
parent: b24791fe00f8b089d5b10cb7bcc4e1ae88b4831b (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
index b5b335c9b2bb..2ebdc6d5a76e 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -159,10 +159,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
 {
        unsigned long start = vma->vm_start;
        unsigned long size = vma->vm_end - vma->vm_start;
-        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+        unsigned long offset;
        unsigned long page, pos;
-        if (offset + size > info->fix.smem_len)
+        if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+                return -EINVAL;
+        offset = vma->vm_pgoff << PAGE_SHIFT;
+        if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
                return -EINVAL;
        pos = (unsigned long)info->fix.smem_start + offset;
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-03-21 11:45:53 -0400
committer	Daniel Vetter <daniel.vetter@ffwll.ch>	2018-03-22 02:59:01 -0400
commit	3b82a4db8eaccce735dffd50b4d4e1578099b8e8 (patch)
tree	d3b7f0f528c93bad7f2ab77e18d19322e5a165a6
parent	b24791fe00f8b089d5b10cb7bcc4e1ae88b4831b (diff)