| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210310074028.1042475-1-ribalda@chromium.org>
Date: Wed, 10 Mar 2021 08:40:28 +0100
From: Ricardo Ribalda <ribalda@...omium.org>
To: Tomasz Figa <tfiga@...omium.org>,
Marek Szyprowski <m.szyprowski@...sung.com>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Ricardo Ribalda <ribalda@...omium.org>,
Sergey Senozhatsky <senozhatsky@...omium.org>,
stable@...r.kernel.org
Subject: [PATCH] media: videobuf2: Fix integer overrun in vb2_mmap
The plane_length is an unsigned integer. So, if we have a size of
0xffffffff bytes we incorrectly allocate 0 bytes instead of 1 << 32.
Suggested-by: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: stable@...r.kernel.org
Fixes: 7f8414594e47 ("[media] media: videobuf2: fix the length check for mmap")
Signed-off-by: Ricardo Ribalda <ribalda@...omium.org>
---
drivers/media/common/videobuf2/videobuf2-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
index 543da515c761..876db5886867 100644
--- a/drivers/media/common/videobuf2/videobuf2-core.c
+++ b/drivers/media/common/videobuf2/videobuf2-core.c
@@ -2256,7 +2256,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
* The buffer length was page_aligned at __vb2_buf_mem_alloc(),
* so, we need to do the same here.
*/
- length = PAGE_ALIGN(vb->planes[plane].length);
+ length = PAGE_ALIGN((unsigned int)vb->planes[plane].length);
if (length < (vma->vm_end - vma->vm_start)) {
dprintk(q, 1,
"MMAP invalid, as it would overflow buffer length\n");
--
2.30.1.766.gb4fecdf3b7-goog
Powered by blists - more mailing lists