From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Julius Werner" , "Greg Kroah-Hartman" Date: Sat, 09 Sep 2017 22:47:14 +0100 Message-ID: Subject: [PATCH 3.16 063/233] drivers: char: mem: Check for address space wraparound with mmap() In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.16.48-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Julius Werner commit b299cde245b0b76c977f4291162cf668e087b408 upstream. /dev/mem currently allows mmap() mappings that wrap around the end of the physical address space, which should probably be illegal. It circumvents the existing STRICT_DEVMEM permission check because the loop immediately terminates (as the start address is already higher than the end address). On the x86_64 architecture it will then cause a panic (from the BUG(start >= end) in arch/x86/mm/pat.c:reserve_memtype()). This patch adds an explicit check to make sure offset + size will not wrap around in the physical address type. Signed-off-by: Julius Werner Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/char/mem.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -329,6 +329,11 @@ static const struct vm_operations_struct static int mmap_mem(struct file *file, struct vm_area_struct *vma) { size_t size = vma->vm_end - vma->vm_start; + phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT; + + /* It's illegal to wrap around the end of the physical address space. */ + if (offset + (phys_addr_t)size < offset) + return -EINVAL; if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size)) return -EINVAL;