| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Mar 2021 08:40:24 +0100
From: Ricardo Ribalda <ribalda@...omium.org>
To: Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>
Cc: Tomasz Figa <tfiga@...omium.org>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
Laurent Pinchart <laurent.pinchart@...asonboard.com>,
stable@...r.kernel.org
Subject: Re: [PATCH] media: videobuf2: Fix integer overrun in allocation
Hi Sergey
On Wed, Mar 10, 2021 at 2:42 AM Sergey Senozhatsky
<sergey.senozhatsky.work@...il.com> wrote:
>
> On (21/03/10 00:43), Ricardo Ribalda wrote:
> > The plane_length is an unsigned integer. So, if we have a size of
> > 0xffffffff bytes we incorrectly allocate 0 bytes instead of 1 << 32.
>
> Hi Ricardo,
>
> > @@ -223,8 +223,10 @@ static int __vb2_buf_mem_alloc(struct vb2_buffer *vb)
> > * NOTE: mmapped areas should be page aligned
> > */
> > for (plane = 0; plane < vb->num_planes; ++plane) {
> > + unsigned long size = vb->planes[plane].length;
> > +
> > /* Memops alloc requires size to be page aligned. */
> > - unsigned long size = PAGE_ALIGN(vb->planes[plane].length);
> > + size = PAGE_ALIGN(size);
> >
> > /* Did it wrap around? */
> > if (size < vb->planes[plane].length)
>
> Shouldn't the same be done in vb2_mmap()?
Indeed, I was having tunnel vision focussing on my issue.
I have sent a new patch.
Thanks!
>
> -ss
--
Ricardo Ribalda
Powered by blists - more mailing lists