powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap

memtrace mmap issue has an out of bounds issue. This patch fixes the by
checking that the requested mapping region size should stay within the
allocated region size.

Reported-by: Jonathan Greental <yonatan02greental@gmail.com>
Fixes: 08a022ad3dfa ("powerpc/powernv/memtrace: Allow mmaping trace buffers")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610021227.361980-1-maddy@linux.ibm.com

diff --git a/arch/powerpc/platforms/powernv/memtrace.c b/arch/powerpc/platforms/powernv/memtrace.c
index 4ac9808e55a44d13a97de03168ce0d95f60d1bb4..2ea30b34335415be91d0aa44ec4f7bf96c4e6d71 100644 (file)
--- a/arch/powerpc/platforms/powernv/memtrace.c
+++ b/arch/powerpc/platforms/powernv/memtrace.c
@@ -48,11 +48,15 @@ static ssize_t memtrace_read(struct file *filp, char __user *ubuf,
 static int memtrace_mmap(struct file *filp, struct vm_area_struct *vma)
 {
        struct memtrace_entry *ent = filp->private_data;
+       unsigned long ent_nrpages = ent->size >> PAGE_SHIFT;
+       unsigned long vma_nrpages = vma_pages(vma);
 
-       if (ent->size < vma->vm_end - vma->vm_start)
+       /* The requested page offset should be within object's page count */
+       if (vma->vm_pgoff >= ent_nrpages)
                return -EINVAL;
 
-       if (vma->vm_pgoff << PAGE_SHIFT >= ent->size)
+       /* The requested mapping range should remain within the bounds */
+       if (vma_nrpages > ent_nrpages - vma->vm_pgoff)
                return -EINVAL;
 
        vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);