diff options
| author |   Iwona Winiarska <iwona.winiarska@intel.com> | 2021-08-04 01:48:19 +0200 |
|---|---|---|
| committer |   Joel Stanley <joel@jms.id.au> | 2021-08-17 18:00:44 +0930 |
| commit | 8b07e990fb254fcbaa919616ac77f981cb48c73d (patch) | |
| tree | d293d1a79b058fdd9e62887a0ca9a146077aa9ba | |
| parent | soc: aspeed: lpc-ctrl: Fix boundary check for mmap (diff) | |
| download | linux-dev-8b07e990fb254fcbaa919616ac77f981cb48c73d.tar.xz linux-dev-8b07e990fb254fcbaa919616ac77f981cb48c73d.zip | |
soc: aspeed: p2a-ctrl: Fix boundary check for mmap
The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one
side of the comparison, and uses resource address (rather than just the
resource size) on the other side of the comparison.
This can allow malicious userspace to easily bypass the boundary check and
map pages that are located outside memory-region reserved by the driver.
Fixes: 01c60dcea9f7 ("drivers/misc: Add Aspeed P2A control driver")
Cc: stable@vger.kernel.org
Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Tested-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Joel Stanley <joel@aj.id.au>
Signed-off-by: Joel Stanley <joel@jms.id.au>
| -rw-r--r-- | drivers/soc/aspeed/aspeed-p2a-ctrl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/soc/aspeed/aspeed-p2a-ctrl.c b/drivers/soc/aspeed/aspeed-p2a-ctrl.c index b60fbeaffcbd..20b5fb2a207c 100644 --- a/drivers/soc/aspeed/aspeed-p2a-ctrl.c +++ b/drivers/soc/aspeed/aspeed-p2a-ctrl.c @@ -110,7 +110,7 @@ static int aspeed_p2a_mmap(struct file *file, struct vm_area_struct *vma) vsize = vma->vm_end - vma->vm_start; prot = vma->vm_page_prot; - if (vma->vm_pgoff + vsize > ctrl->mem_base + ctrl->mem_size) + if (vma->vm_pgoff + vma_pages(vma) > ctrl->mem_size >> PAGE_SHIFT) return -EINVAL; /* ast2400/2500 AHB accesses are not cache coherent */ |