Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiroslav Benes <mbenes@suse.cz>2018-05-15 17:14:39 +0200
committerMiroslav Benes <mbenes@suse.cz>2018-05-15 17:14:39 +0200
commit113d99d1f71f8803fa20204298282f70ca85adf4 (patch)
tree1ffbaf91f462ae570c9df2d2612d6613370eb6e4
parentc2b77c80191a3a3c889255495db3a526b5e43110 (diff)
parent07cd0aed6dcffc1f8b8a4d9978e97c64509742bc (diff)
Merge branch 'bsc#1090646' into SLE12-SP3_Update_2
-rw-r--r--bsc1090646/kgr_patch_bsc1090646.c91
-rw-r--r--bsc1090646/kgr_patch_bsc1090646.h14
2 files changed, 105 insertions, 0 deletions
diff --git a/bsc1090646/kgr_patch_bsc1090646.c b/bsc1090646/kgr_patch_bsc1090646.c
new file mode 100644
index 0000000..9e2c4d1
--- /dev/null
+++ b/bsc1090646/kgr_patch_bsc1090646.c
@@ -0,0 +1,91 @@
+/*
+ * kgraft_patch_bsc1090646
+ *
+ * Fix for CVE-2018-8781, bsc#1090646
+ *
+ * Upstream commit:
+ * 3b82a4db8eac ("drm: udl: Properly check framebuffer mmap offsets")
+ *
+ * SLE12(-SP1) commit:
+ * 84fef2b8200455e2bd5a4baabab0f13a3088bd1b
+ *
+ * SLE12-SP2 commit:
+ * 24db22d03c8a95661c7f81f00023bd8144aa790d
+ *
+ * SLE12-SP3 commit:
+ * 95d3e6c3bd7ee22b1bf33b4e4f91eedd3dc26f0a ("stable 4.4.125")
+ *
+ * Copyright (c) 2018 SUSE
+ * Author: Nicolai Stange <nstange@suse.de>
+ *
+ * Based on the original Linux kernel code. Other copyrights apply.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/fb.h>
+#include <linux/mm.h>
+#include "kgr_patch_bsc1090646.h"
+
+#if !IS_MODULE(CONFIG_DRM_UDL)
+#error "KGR patch supports only CONFIG_DRM_UDL=m."
+#endif
+
+/* patched */
+int kgr_udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
+{
+ unsigned long start = vma->vm_start;
+ unsigned long size = vma->vm_end - vma->vm_start;
+ /*
+ * Fix CVE-2018-8781
+ * -1 line, +1 line
+ */
+ unsigned long offset;
+ unsigned long page, pos;
+
+ /*
+ * Fix CVE-2018-8781
+ * -2 lines, +7 lines
+ */
+ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+ return -EINVAL;
+
+ offset = vma->vm_pgoff << PAGE_SHIFT;
+
+ if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
+ return -EINVAL;
+
+ pos = (unsigned long)info->fix.smem_start + offset;
+
+ pr_notice("mmap() framebuffer addr:%lu size:%lu\n",
+ pos, size);
+
+ while (size > 0) {
+ page = vmalloc_to_pfn((void *)pos);
+ if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED))
+ return -EAGAIN;
+
+ start += PAGE_SIZE;
+ pos += PAGE_SIZE;
+ if (size > PAGE_SIZE)
+ size -= PAGE_SIZE;
+ else
+ size = 0;
+ }
+
+ /* VM_IO | VM_DONTEXPAND | VM_DONTDUMP are set by remap_pfn_range() */
+ return 0;
+}
diff --git a/bsc1090646/kgr_patch_bsc1090646.h b/bsc1090646/kgr_patch_bsc1090646.h
new file mode 100644
index 0000000..da299f4
--- /dev/null
+++ b/bsc1090646/kgr_patch_bsc1090646.h
@@ -0,0 +1,14 @@
+#ifndef _KGR_PATCH_BSC1090646_H
+#define _KGR_PATCH_BSC1090646_H
+
+static inline int kgr_patch_bsc1090646_init(void) { return 0; }
+static inline void kgr_patch_bsc1090646_cleanup(void) {}
+
+struct fb_info;
+struct vm_area_struct;
+int kgr_udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma);
+
+#define KGR_PATCH_BSC1090646_FUNCS \
+ KGR_PATCH_OBJ(udl_fb_mmap, kgr_udl_fb_mmap, "udl"), \
+
+#endif