[Trusty][Artful][SRU][PATCH 0/1] Fix for CVE-2018-8781

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Trusty][Artful][SRU][PATCH 0/1] Fix for CVE-2018-8781

Po-Hsu Lin (Sam)
According to our CVE matrix, only Trusty and Artful need this patch,
which can be cherry-picked for both.

This addes a more solid check to the offset variable for the udl framebuffer
driver before using it.

Greg Kroah-Hartman (1):
  drm: udl: Properly check framebuffer mmap offsets

 drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2018-8781][T/A][SRU][PATCH 1/1] drm: udl: Properly check framebuffer mmap offsets

Po-Hsu Lin (Sam)
From: Greg Kroah-Hartman <[hidden email]>

CVE-2018-8781

The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values.  Fix this up by properly
bounding the allowed values.

Reported-by: Eyal Itkin <[hidden email]>
Cc: stable <[hidden email]>
Signed-off-by: Greg Kroah-Hartman <[hidden email]>
Signed-off-by: Daniel Vetter <[hidden email]>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@...
(cherry picked from commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
index 4a65003..f8c0997 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
 {
  unsigned long start = vma->vm_start;
  unsigned long size = vma->vm_end - vma->vm_start;
- unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+ unsigned long offset;
  unsigned long page, pos;
 
- if (offset + size > info->fix.smem_len)
+ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+ return -EINVAL;
+
+ offset = vma->vm_pgoff << PAGE_SHIFT;
+
+ if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
  return -EINVAL;
 
  pos = (unsigned long)info->fix.smem_start + offset;
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE-2018-8781][T/A][SRU][PATCH 1/1] drm: udl: Properly check framebuffer mmap offsets

Kleber Souza
On 05/08/18 09:46, Po-Hsu Lin wrote:

> From: Greg Kroah-Hartman <[hidden email]>
>
> CVE-2018-8781
>
> The memmap options sent to the udl framebuffer driver were not being
> checked for all sets of possible crazy values.  Fix this up by properly
> bounding the allowed values.
>
> Reported-by: Eyal Itkin <[hidden email]>
> Cc: stable <[hidden email]>
> Signed-off-by: Greg Kroah-Hartman <[hidden email]>
> Signed-off-by: Daniel Vetter <[hidden email]>
> Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@...
> (cherry picked from commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8)
> Signed-off-by: Po-Hsu Lin <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
> index 4a65003..f8c0997 100644
> --- a/drivers/gpu/drm/udl/udl_fb.c
> +++ b/drivers/gpu/drm/udl/udl_fb.c
> @@ -158,10 +158,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
>  {
>   unsigned long start = vma->vm_start;
>   unsigned long size = vma->vm_end - vma->vm_start;
> - unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> + unsigned long offset;
>   unsigned long page, pos;
>  
> - if (offset + size > info->fix.smem_len)
> + if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
> + return -EINVAL;
> +
> + offset = vma->vm_pgoff << PAGE_SHIFT;
> +
> + if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
>   return -EINVAL;
>  
>   pos = (unsigned long)info->fix.smem_start + offset;
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team