driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICUGZ2 ---------------------------------------------------------------------- Check the size, which is controlled by user, by adding it to vm_start and compare with end could be problematic when malicious user passes an arbitrarily big number as size which causes overflow and thus bypass the size check. Fix this by using the size as is to compare with vma range. Fixes: e6ecc3b028b8 ("soc cache: Add framework driver for HiSilicon SoC cache") Signed-off-by: Yushan Wang <wangyushan12@huawei.com> Signed-off-by: Hongye Lin <linhongye@h-partners.com> --- drivers/soc/hisilicon/hisi_soc_cache_framework.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/soc/hisilicon/hisi_soc_cache_framework.c b/drivers/soc/hisilicon/hisi_soc_cache_framework.c index 6e3b128df4e7..199111f939e9 100644 --- a/drivers/soc/hisilicon/hisi_soc_cache_framework.c +++ b/drivers/soc/hisilicon/hisi_soc_cache_framework.c @@ -204,10 +204,14 @@ static int __hisi_soc_cache_maintain(unsigned long __user vaddr, size_t size, if (mnt_type >= HISI_CACHE_MAINT_MAKEINVALID) return -EINVAL; - mmap_read_lock_killable(current->mm); + /* Prevent overflow of vaddr + size. */ + if (!size || vaddr + size < vaddr ) + return -EINVAL; + mmap_read_lock_killable(current->mm); vma = vma_lookup(current->mm, vaddr); - if (!vma || vaddr + size > vma->vm_end || !size) { + + if (!range_in_vma(vma, vaddr, vaddr + size)) { ret = -EINVAL; goto out; } -- 2.33.0