Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 11 Jul 2018 13:04:17 +0200
From: Greg KH <greg@...ah.com>
To: zrlw@...a.com
Cc: oss-security <oss-security@...ts.openwall.com>,
	Solar Designer <solar@...nwall.com>
Subject: Re: Re: mmap vulnerability in motion eye video4linux
 driver for Sony Vaio PictureBook

On Wed, Jul 11, 2018 at 10:15:34AM +0800, zrlw@...a.com wrote:
> i think commit be83bbf80682 maybe has a problem:
>  if file_mmap_size_max return 0 (not regular, not block, fmode &
> FMODE_UNSIGNED_OFFSET == true) , maxsize will be set to -len, correct? 
> 
> +static inline bool file_mmap_ok(struct file *file, struct inode *inode,
> + unsigned long pgoff, unsigned long len)
> +{
> + u64 maxsize = file_mmap_size_max(file, inode);
> +
> + if (maxsize && len > maxsize)
> + return false;
> + maxsize -= len;                                         <==  maxsize = -len
> when file_mmap_size_max return 0 
> + if (pgoff > maxsize >> PAGE_SHIFT)
> + return false;
> + return true;
> +}

Yes, that is correct, that means that the file size is very big and
allowed to use unsigned values.  Very few device nodes allow this, but
some need to.

Do you see a problem with this for the driver you are looking at?

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.