diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:22:57 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:22:57 +0200 |
commit | 53fccbc963044818e6f5afb73c09bf91a88518a3 (patch) | |
tree | 134ea7e043da604ff2ca3d57b398fa1b6e7e4cdf | |
parent | 2880d3bbc5ac81c9ea0f5c5ac060841d44200624 (diff) | |
download | enea-kernel-cache-53fccbc963044818e6f5afb73c09bf91a88518a3.tar.gz |
drm: CVE-2018-8781
drm: udl: Properly check framebuffer mmap offsets
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4ac9ab4f5f45d1ad0585c7bfa9ccff43b9984045
Change-Id: I9854538e5b7d52b7ebea071b65ac76ebd58c8246
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch | 49 |
2 files changed, 52 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 1702181..4dad7d1 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -1,2 +1,5 @@ | |||
1 | #CVEs fixed in 4.9.89: | 1 | #CVEs fixed in 4.9.89: |
2 | patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch | 2 | patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch |
3 | |||
4 | #CVEs fixed in 4.9.91: | ||
5 | SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch" | ||
diff --git a/patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch b/patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch new file mode 100644 index 0000000..e8fecb6 --- /dev/null +++ b/patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 4ac9ab4f5f45d1ad0585c7bfa9ccff43b9984045 Mon Sep 17 00:00:00 2001 | ||
2 | From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
3 | Date: Wed, 21 Mar 2018 16:45:53 +0100 | ||
4 | Subject: [PATCH] drm: udl: Properly check framebuffer mmap offsets | ||
5 | |||
6 | commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream. | ||
7 | |||
8 | The memmap options sent to the udl framebuffer driver were not being | ||
9 | checked for all sets of possible crazy values. Fix this up by properly | ||
10 | bounding the allowed values. | ||
11 | |||
12 | CVE: CVE-2018-8781 | ||
13 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4ac9ab4f5f45d1ad0585c7bfa9ccff43b9984045] | ||
14 | |||
15 | Reported-by: Eyal Itkin <eyalit@checkpoint.com> | ||
16 | Cc: stable <stable@vger.kernel.org> | ||
17 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
18 | Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> | ||
19 | Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com | ||
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
21 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
22 | --- | ||
23 | drivers/gpu/drm/udl/udl_fb.c | 9 +++++++-- | ||
24 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c | ||
27 | index 611b6b9bb3cb..67ea2ce03a23 100644 | ||
28 | --- a/drivers/gpu/drm/udl/udl_fb.c | ||
29 | +++ b/drivers/gpu/drm/udl/udl_fb.c | ||
30 | @@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) | ||
31 | { | ||
32 | unsigned long start = vma->vm_start; | ||
33 | unsigned long size = vma->vm_end - vma->vm_start; | ||
34 | - unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; | ||
35 | + unsigned long offset; | ||
36 | unsigned long page, pos; | ||
37 | |||
38 | - if (offset + size > info->fix.smem_len) | ||
39 | + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) | ||
40 | + return -EINVAL; | ||
41 | + | ||
42 | + offset = vma->vm_pgoff << PAGE_SHIFT; | ||
43 | + | ||
44 | + if (offset > info->fix.smem_len || size > info->fix.smem_len - offset) | ||
45 | return -EINVAL; | ||
46 | |||
47 | pos = (unsigned long)info->fix.smem_start + offset; | ||
48 | |||
49 | |||