From b49a0e69a7b1a68c8d3f64097d06dabb770fec96 Mon Sep 17 00:00:00 2001

From: Iwona Winiarska <iwona.winiarska@intel.com>

Date: Wed, 4 Aug 2021 01:48:18 +0200

Subject: [PATCH] soc: aspeed: lpc-ctrl: Fix boundary check for mmap

Git-commit: b49a0e69a7b1a68c8d3f64097d06dabb770fec96

Patch-mainline: v5.15-rc1

References: CVE-2021-42252 bsc#1190479 git-fixes stable-5.14.6

The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one

side of the comparison, and uses resource address (rather than just the

resource size) on the other side of the comparison.

This can allow malicious userspace to easily bypass the boundary check and

map pages that are located outside memory-region reserved by the driver.

Fixes: 6c4e97678501 ("drivers/misc: Add Aspeed LPC control driver")

Cc: stable@vger.kernel.org

Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>

Reviewed-by: Andrew Jeffery <andrew@aj.id.au>

Tested-by: Andrew Jeffery <andrew@aj.id.au>

Reviewed-by: Joel Stanley <joel@aj.id.au>

Signed-off-by: Joel Stanley <joel@jms.id.au>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/soc/aspeed/aspeed-lpc-ctrl.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/soc/aspeed/aspeed-lpc-ctrl.c b/drivers/soc/aspeed/aspeed-lpc-ctrl.c

index c557ffd0992c..55e46fa6cf42 100644

--- a/drivers/soc/aspeed/aspeed-lpc-ctrl.c

+++ b/drivers/soc/aspeed/aspeed-lpc-ctrl.c

@@ -51,7 +51,7 @@ static int aspeed_lpc_ctrl_mmap(struct file *file, struct vm_area_struct *vma)

 	unsigned long vsize = vma->vm_end - vma->vm_start;

 	pgprot_t prot = vma->vm_page_prot;

-	if (vma->vm_pgoff + vsize > lpc_ctrl->mem_base + lpc_ctrl->mem_size)

+	if (vma->vm_pgoff + vma_pages(vma) > lpc_ctrl->mem_size >> PAGE_SHIFT)

 		return -EINVAL;

 	/* ast2400/2500 AHB accesses are not cache coherent */

-- 

2.26.2