Commit cd097df4 authored by Ritesh Harjani (IBM)'s avatar Ritesh Harjani (IBM) Committed by Madhavan Srinivasan
Browse files

powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap 



memtrace mmap issue has an out of bounds issue. This patch fixes the by
checking that the requested mapping region size should stay within the
allocated region size.

Reported-by: default avatarJonathan Greental <yonatan02greental@gmail.com>
Fixes: 08a022ad ("powerpc/powernv/memtrace: Allow mmaping trace buffers")
Signed-off-by: default avatarRitesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610021227.361980-1-maddy@linux.ibm.com
parent 19272b37

arch/powerpc/platforms/powernv/memtrace.c

+6 −2
Original line number Diff line number Diff line
@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file *filp, char __user *ubuf, 
static int memtrace_mmap(struct file *filp, struct vm_area_struct *vma)

{

	struct memtrace_entry *ent = filp->private_data;

	unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;

	unsigned long vma_nrpages = vma_pages(vma);



	if (ent->size < vma->vm_end - vma->vm_start)

	/* The requested page offset should be within object's page count */

	if (vma->vm_pgoff >= ent_nrpages)

		return -EINVAL;



	if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)

	/* The requested mapping range should remain within the bounds */

	if (vma_nrpages > ent_nrpages - vma->vm_pgoff)

		return -EINVAL;



	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);