Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Jul 2018 20:35:43 +0800
From: <zrlw@...a.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying pass different arbitrary address.
/usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c:
static int meye_mmap(struct file *file, struct vm_area_struct *vma)
...        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
...        pos = (unsigned long)meye.grab_fbuffer + offset;
        while (size > 0) {
                page = vmalloc_to_pfn((void *)pos);
                if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ