Improve fb_mmap bounds checks in gbefb, smscufx, udlfb and vfb drivers to
prevent possible uint overflows.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Steve Glendinning <steve.glendinning@smsc.com>
Cc: Bernie Thompson <bernie@plugable.com>
/* check range */
if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
return -EINVAL;
- if (offset + size > gbe_mem_size)
+ if (size > gbe_mem_size)
+ return -EINVAL;
+ if (offset > gbe_mem_size - size)
return -EINVAL;
/* remap using the fastest write-through mode on architecture */
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
unsigned long page, pos;
- if (offset + size > info->fix.smem_len)
+ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+ return -EINVAL;
+ if (size > info->fix.smem_len)
+ return -EINVAL;
+ if (offset > info->fix.smem_len - size)
return -EINVAL;
pos = (unsigned long)info->fix.smem_start + offset;
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
unsigned long page, pos;
- if (offset + size > info->fix.smem_len)
+ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+ return -EINVAL;
+ if (size > info->fix.smem_len)
+ return -EINVAL;
+ if (offset > info->fix.smem_len - size)
return -EINVAL;
pos = (unsigned long)info->fix.smem_start + offset;
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
unsigned long page, pos;
- if (offset + size > info->fix.smem_len) {
+ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+ return -EINVAL;
+ if (size > info->fix.smem_len)
+ return -EINVAL;
+ if (offset > info->fix.smem_len - size)
return -EINVAL;
- }
pos = (unsigned long)info->fix.smem_start + offset;
projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff