Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 6 Jul 2018 16:54:22 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: zrlw@...a.com
Subject: Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

On Fri, Jul 06, 2018 at 03:26:55PM +0200, Greg KH wrote:
> On Fri, Jul 06, 2018 at 08:35:43PM +0800, zrlw@...a.com wrote:
> > Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying pass different arbitrary address.
> > /usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c:
> > static int meye_mmap(struct file *file, struct vm_area_struct *vma)
> > ...        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> > ...        pos = (unsigned long)meye.grab_fbuffer + offset;
> >         while (size > 0) {
> >                 page = vmalloc_to_pfn((void *)pos);
> >                 if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...
> 
> Commit:
> 	be83bbf80682 ("mmap: introduce sane default mmap limits")
> which was backported to all stable kernels, should have resolved this
> problem, correct?
> 
> If not, please notify the media driver maintainers and they will be glad
> to fix the problem.

I think zrlw@...a.com is not subscribed, so CC'ing.

I wonder if it's also possible to cause integer overflow on "(unsigned
long)meye.grab_fbuffer + offset", bringing pos below meye.grab_fbuffer,
and what the impact of that would be.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ