Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 07 Jul 2018 00:09:37 +0800
From: <zrlw@...a.com>
To: "Solar Designer" <solar@...nwall.com>,
  "oss-security" <oss-security@...ts.openwall.com>,
Subject: Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

I  sent a email to the original authors which i found in the head of meye.c, but i don't receive any response util now. I don't think   commit be83bbf80682  will work on this case, this driver derived from v4l2-core which not use inode,  maybe i'm wrong.  
----- Original Message -----
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: zrlw@...a.com
Subject: Re: [oss-security] mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook
Date: 2018-07-06 22:54


On Fri, Jul 06, 2018 at 03:26:55PM +0200, Greg KH wrote:
> On Fri, Jul 06, 2018 at 08:35:43PM +0800, zrlw@...a.com wrote:
> > Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying pass different arbitrary address.
> > /usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c:
> > static int meye_mmap(struct file *file, struct vm_area_struct *vma)
> > ...        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> > ...        pos = (unsigned long)meye.grab_fbuffer + offset;
> >         while (size > 0) {
> >                 page = vmalloc_to_pfn((void *)pos);
> >                 if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...
> 
> Commit:
> 	be83bbf80682 ("mmap: introduce sane default mmap limits")
> which was backported to all stable kernels, should have resolved this
> problem, correct?
> 
> If not, please notify the media driver maintainers and they will be glad
> to fix the problem.
I think zrlw@...a.com is not subscribed, so CC'ing.
I wonder if it's also possible to cause integer overflow on "(unsigned
long)meye.grab_fbuffer + offset", bringing pos below meye.grab_fbuffer,
and what the impact of that would be.
Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ