| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200108161619.7999-1-tiwai@suse.de> Date: Wed, 8 Jan 2020 17:16:19 +0100 From: Takashi Iwai <tiwai@...e.de> To: Mauro Carvalho Chehab <mchehab@...nel.org> Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH] media: cpia2: Fix integer overflow in mmap handling The offset and size checks in cpia2_regmap_buffer() may ignore the integer overflow and allow local users to obtain the access to the kernel physical pages. Fix it by modifying the check more carefully; the size value is already checked beforehand and guaranteed to be smaller than cam->frame_size*num_frames, so it's safe to subtract in the right hand side. This covers CVE-2019-18675. Cc: <stable@...r.kernel.org> Signed-off-by: Takashi Iwai <tiwai@...e.de> --- I'm submitting this since there hasn't been any action seen for this bug over a month. Let me know if there is already a fix. Thanks. drivers/media/usb/cpia2/cpia2_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c index 20c50c2d042e..26ae7a5e3783 100644 --- a/drivers/media/usb/cpia2/cpia2_core.c +++ b/drivers/media/usb/cpia2/cpia2_core.c @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma) if (size > cam->frame_size*cam->num_frames || (start_offset % cam->frame_size) != 0 || - (start_offset+size > cam->frame_size*cam->num_frames)) + (start_offset > cam->frame_size*cam->num_frames - size)) return -EINVAL; pos = ((unsigned long) (cam->frame_buffer)) + start_offset; -- 2.16.4
Powered by blists - more mailing lists