drm: CVE-2018-8781

drm: udl: Properly check framebuffer mmap offsets

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4ac9ab4f5f45d1ad0585c7bfa9ccff43b9984045

Change-Id: I9854538e5b7d52b7ebea071b65ac76ebd58c8246
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 52 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 1702181..4dad7d1 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -1,2 +1,5 @@
 #CVEs fixed in 4.9.89:
 patch CVE-2018-7480-blkcg-fix-double-free-of-new_blkg-in-blkcg_init_queu.patch
+
+#CVEs fixed in 4.9.91:
+SRC_URI += "file://CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch"
diff --git a/patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch b/patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch
new file mode 100644
index 0000000..e8fecb6
--- /dev/null
+++ b/patches/cve/CVE-2018-8781-drm-udl-Properly-check-framebuffer-mmap-offsets.patch
@@ -0,0 +1,49 @@
+From 4ac9ab4f5f45d1ad0585c7bfa9ccff43b9984045 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 21 Mar 2018 16:45:53 +0100
+Subject: [PATCH] drm: udl: Properly check framebuffer mmap offsets
+
+commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.
+
+The memmap options sent to the udl framebuffer driver were not being
+checked for all sets of possible crazy values.  Fix this up by properly
+bounding the allowed values.
+
+CVE: CVE-2018-8781
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=4ac9ab4f5f45d1ad0585c7bfa9ccff43b9984045]
+
+Reported-by: Eyal Itkin <eyalit@checkpoint.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
+index 611b6b9bb3cb..67ea2ce03a23 100644
+--- a/drivers/gpu/drm/udl/udl_fb.c
++++ b/drivers/gpu/drm/udl/udl_fb.c
+@@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
+ {
+        unsigned long start = vma->vm_start;
+        unsigned long size = vma->vm_end - vma->vm_start;
+-       unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
++       unsigned long offset;
+        unsigned long page, pos;
+ 
+-       if (offset + size > info->fix.smem_len)
++       if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
++               return -EINVAL;
++
++       offset = vma->vm_pgoff << PAGE_SHIFT;
++
++       if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
+                return -EINVAL;
+ 
+        pos = (unsigned long)info->fix.smem_start + offset;
+
+