aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomi Valkeinen <tomi.valkeinen@ti.com>2013-04-18 01:39:47 -0400
committerTomi Valkeinen <tomi.valkeinen@ti.com>2013-04-26 01:28:56 -0400
commit04f8afbec37f63fafce16e454a7848426aa36202 (patch)
tree1c761c03f67ebdc71163aaaf0389a092f29916c6
parent11bd5933abe033fb7a3a0d1f1bd2cb4b6df8143f (diff)
fbdev: improve fb_mmap bounds checks
Improve fb_mmap bounds checks in gbefb, smscufx, udlfb and vfb drivers to prevent possible uint overflows. Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> Cc: Steve Glendinning <steve.glendinning@smsc.com> Cc: Bernie Thompson <bernie@plugable.com>
Diffstat
-rw-r--r--drivers/video/gbefb.c4
-rw-r--r--drivers/video/smscufx.c6
-rw-r--r--drivers/video/udlfb.c6
-rw-r--r--drivers/video/vfb.c7
4 files changed, 18 insertions, 5 deletions
diff --git a/drivers/video/gbefb.c b/drivers/video/gbefb.c
index bda5e3941510..ceab37020fff 100644
--- a/drivers/video/gbefb.c
+++ b/drivers/video/gbefb.c
@@ -1016,7 +1016,9 @@ static int gbefb_mmap(struct fb_info *info,
1016 /* check range */ 1016 /* check range */
1017 if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) 1017 if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
1018 return -EINVAL; 1018 return -EINVAL;
1019 if (offset + size > gbe_mem_size) 1019 if (size > gbe_mem_size)
1020 return -EINVAL;
1021 if (offset > gbe_mem_size - size)
1020 return -EINVAL; 1022 return -EINVAL;
1021 1023
1022 /* remap using the fastest write-through mode on architecture */ 1024 /* remap using the fastest write-through mode on architecture */
diff --git a/drivers/video/smscufx.c b/drivers/video/smscufx.c
index 97bd6620c364..b2b33fc1ac3f 100644
--- a/drivers/video/smscufx.c
+++ b/drivers/video/smscufx.c
@@ -782,7 +782,11 @@ static int ufx_ops_mmap(struct fb_info *info, struct vm_area_struct *vma)
782 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 782 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
783 unsigned long page, pos; 783 unsigned long page, pos;
784 784
785 if (offset + size > info->fix.smem_len) 785 if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
786 return -EINVAL;
787 if (size > info->fix.smem_len)
788 return -EINVAL;
789 if (offset > info->fix.smem_len - size)
786 return -EINVAL; 790 return -EINVAL;
787 791
788 pos = (unsigned long)info->fix.smem_start + offset; 792 pos = (unsigned long)info->fix.smem_start + offset;
diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c
index 86d449ea3169..ec03e726c940 100644
--- a/drivers/video/udlfb.c
+++ b/drivers/video/udlfb.c
@@ -324,7 +324,11 @@ static int dlfb_ops_mmap(struct fb_info *info, struct vm_area_struct *vma)
324 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 324 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
325 unsigned long page, pos; 325 unsigned long page, pos;
326 326
327 if (offset + size > info->fix.smem_len) 327 if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
328 return -EINVAL;
329 if (size > info->fix.smem_len)
330 return -EINVAL;
331 if (offset > info->fix.smem_len - size)
328 return -EINVAL; 332 return -EINVAL;
329 333
330 pos = (unsigned long)info->fix.smem_start + offset; 334 pos = (unsigned long)info->fix.smem_start + offset;
diff --git a/drivers/video/vfb.c b/drivers/video/vfb.c
index 8bc1f9398945..ee5985efa15c 100644
--- a/drivers/video/vfb.c
+++ b/drivers/video/vfb.c
@@ -420,9 +420,12 @@ static int vfb_mmap(struct fb_info *info,
420 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; 420 unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
421 unsigned long page, pos; 421 unsigned long page, pos;
422 422
423 if (offset + size > info->fix.smem_len) { 423 if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
424 return -EINVAL;
425 if (size > info->fix.smem_len)
426 return -EINVAL;
427 if (offset > info->fix.smem_len - size)
424 return -EINVAL; 428 return -EINVAL;
425 }
426 429
427 pos = (unsigned long)info->fix.smem_start + offset; 430 pos = (unsigned long)info->fix.smem_start + offset;
428 431
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-08 09:44:02 -0400