ACK: [CVE-2018-8781][T/A][SRU][PATCH 1/1] drm: udl: Properly check framebuffer mmap offsets

Kleber Souza kleber.souza at canonical.com
Fri May 11 14:29:53 UTC 2018


On 05/08/18 09:46, Po-Hsu Lin wrote:
> From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> 
> CVE-2018-8781
> 
> The memmap options sent to the udl framebuffer driver were not being
> checked for all sets of possible crazy values.  Fix this up by properly
> bounding the allowed values.
> 
> Reported-by: Eyal Itkin <eyalit at checkpoint.com>
> Cc: stable <stable at vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
> (cherry picked from commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

> ---
>  drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
> index 4a65003..f8c0997 100644
> --- a/drivers/gpu/drm/udl/udl_fb.c
> +++ b/drivers/gpu/drm/udl/udl_fb.c
> @@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
>  {
>  	unsigned long start = vma->vm_start;
>  	unsigned long size = vma->vm_end - vma->vm_start;
> -	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> +	unsigned long offset;
>  	unsigned long page, pos;
>  
> -	if (offset + size > info->fix.smem_len)
> +	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
> +		return -EINVAL;
> +
> +	offset = vma->vm_pgoff << PAGE_SHIFT;
> +
> +	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
>  		return -EINVAL;
>  
>  	pos = (unsigned long)info->fix.smem_start + offset;
> 




More information about the kernel-team mailing list