[CVE-2018-8781,T/A,SRU,1/1] drm: udl: Properly check framebuffer mmap offsets

Message ID 20180508074656.12407-2-po-hsu.lin@canonical.com
State New
Headers show
Series
  • Fix for CVE-2018-8781
Related show

Commit Message

Po-Hsu Lin May 8, 2018, 7:46 a.m.
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

CVE-2018-8781

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
(cherry picked from commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Comments

Kleber Souza May 11, 2018, 2:29 p.m. | #1
On 05/08/18 09:46, Po-Hsu Lin wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> CVE-2018-8781
> 
> The memmap options sent to the udl framebuffer driver were not being
> checked for all sets of possible crazy values.  Fix this up by properly
> bounding the allowed values.
> 
> Reported-by: Eyal Itkin <eyalit@checkpoint.com>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
> (cherry picked from commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
> index 4a65003..f8c0997 100644
> --- a/drivers/gpu/drm/udl/udl_fb.c
> +++ b/drivers/gpu/drm/udl/udl_fb.c
> @@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
>  {
>  	unsigned long start = vma->vm_start;
>  	unsigned long size = vma->vm_end - vma->vm_start;
> -	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> +	unsigned long offset;
>  	unsigned long page, pos;
>  
> -	if (offset + size > info->fix.smem_len)
> +	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
> +		return -EINVAL;
> +
> +	offset = vma->vm_pgoff << PAGE_SHIFT;
> +
> +	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
>  		return -EINVAL;
>  
>  	pos = (unsigned long)info->fix.smem_start + offset;
>
Andy Whitcroft May 22, 2018, 10:51 a.m. | #2
On Tue, May 08, 2018 at 03:46:56PM +0800, Po-Hsu Lin wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> CVE-2018-8781
> 
> The memmap options sent to the udl framebuffer driver were not being
> checked for all sets of possible crazy values.  Fix this up by properly
> bounding the allowed values.
> 
> Reported-by: Eyal Itkin <eyalit@checkpoint.com>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
> (cherry picked from commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
> index 4a65003..f8c0997 100644
> --- a/drivers/gpu/drm/udl/udl_fb.c
> +++ b/drivers/gpu/drm/udl/udl_fb.c
> @@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
>  {
>  	unsigned long start = vma->vm_start;
>  	unsigned long size = vma->vm_end - vma->vm_start;
> -	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> +	unsigned long offset;
>  	unsigned long page, pos;
>  
> -	if (offset + size > info->fix.smem_len)
> +	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
> +		return -EINVAL;
> +
> +	offset = vma->vm_pgoff << PAGE_SHIFT;
> +
> +	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
>  		return -EINVAL;
>  
>  	pos = (unsigned long)info->fix.smem_start + offset;
> -- 
> 2.7.4

Clean cherry-pick.  Looks to do what is claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Stefan Bader May 23, 2018, 2:51 p.m. | #3
Applied to artful and trusty master-next.

-Stefan

Patch

diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
index 4a65003..f8c0997 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -158,10 +158,15 @@  static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
 {
 	unsigned long start = vma->vm_start;
 	unsigned long size = vma->vm_end - vma->vm_start;
-	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+	unsigned long offset;
 	unsigned long page, pos;
 
-	if (offset + size > info->fix.smem_len)
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	offset = vma->vm_pgoff << PAGE_SHIFT;
+
+	if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
 		return -EINVAL;
 
 	pos = (unsigned long)info->fix.smem_start + offset;