This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers.
This deals with security vulnerability CVE-2008-0007.
Drivers that register a ->nopage handler, that does not range-check its
offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the
offset is within bounds.
Signed-off-by: Willy Tarreau <w@1wt.eu>
vma->vm_ops = &drm_vm_dma_ops;
vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */
+ vma->vm_flags |= VM_DONTEXPAND;
#if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */
/* In Linux 2.2.3 and above, this is
return -EINVAL; /* This should never happen. */
}
vma->vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */
+ vma->vm_flags |= VM_DONTEXPAND;
#if LINUX_VERSION_CODE < 0x020203 /* KERNEL_VERSION(2,2,3) */
/* In Linux 2.2.3 and above, this is
vma->vm_ops = &DRM(vm_dma_ops);
vma->vm_flags |= VM_RESERVED; /* Don't swap */
+ vma->vm_flags |= VM_DONTEXPAND;
vma->vm_file = filp; /* Needed for drm_vm_open() */
DRM(vm_open)(vma);
return 0;
return -EINVAL; /* This should never happen. */
}
vma->vm_flags |= VM_RESERVED; /* Don't swap */
+ vma->vm_flags |= VM_DONTEXPAND;
vma->vm_file = filp; /* Needed for drm_vm_open() */
DRM(vm_open)(vma);
{
struct via_info *card = vma->vm_private_data;
struct via_channel *chan = &card->ch_out;
+ unsigned long max_bufs;
struct page *dmapage;
unsigned long pgoff;
int rd, wr;
rd = card->ch_in.is_mapped;
wr = card->ch_out.is_mapped;
-#ifndef VIA_NDEBUG
- {
- unsigned long max_bufs = chan->frag_number;
- if (rd && wr) max_bufs *= 2;
- /* via_dsp_mmap() should ensure this */
- assert (pgoff < max_bufs);
- }
-#endif
+ max_bufs = chan->frag_number;
+ if (rd && wr)
+ max_bufs *= 2;
+ if (pgoff >= max_bufs)
+ return NOPAGE_SIGBUS;
/* if full-duplex (read+write) and we have two sets of bufs,
* then the playback buffers come first, sez soundcard.c */
pos = address - area->vm_start + (area->vm_pgoff << PAGE_SHIFT);
count = PAGE_SIZE;
- if (address + PAGE_SIZE > area->vm_end) {
- count = area->vm_end - address;
- }
/* what we can read in one go */
bufsize = NCP_SERVER(inode)->buffer_size;