usb:cpia2: Properly check framebuffer mmap offsets

usb:cpia2: Properly check framebuffer mmap offsets

[Omer Shalev]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

Hello,
I've found an integer overflow vulnerability in the cpia2 driver's
mmap implementation , allowing an attacker to map area outside of the
frame's buffer,  giving him  a primitive that possibly can be used to
privilege escalations.  The security list confirmed the bug and asked
me to suggest a patch, and send it to you. I'm attaching the patch
file here.

If you would like to get the exploit code , or the explanations I sent
to the security list , please let me know.

I look forward to receiving your updates.
Best regards,
Omer Shalev.

[-- Attachment #2: cpia2_patch.patch --]
[-- Type: text/x-patch, Size: 1211 bytes --]

diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
index 20c50c2d042e..97e610eb3895 100644
--- a/drivers/media/usb/cpia2/cpia2_core.c
+++ b/drivers/media/usb/cpia2/cpia2_core.c
@@ -2390,8 +2390,8 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma)
 {
 	const char *adr = (const char *)vma->vm_start;
 	unsigned long size = vma->vm_end-vma->vm_start;
-	unsigned long start_offset = vma->vm_pgoff << PAGE_SHIFT;
 	unsigned long start = (unsigned long) adr;
+	unsigned long start_offset;
 	unsigned long page, pos;
 
 	DBG("mmap offset:%ld size:%ld\n", start_offset, size);
@@ -2399,9 +2399,14 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma)
 	if (!video_is_registered(&cam->vdev))
 		return -ENODEV;
 
+	if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+		return -EINVAL;
+
+	start_offset = vma->vm_pgoff << PAGE_SHIFT;
+
 	if (size > cam->frame_size*cam->num_frames  ||
 	    (start_offset % cam->frame_size) != 0 ||
-	    (start_offset+size > cam->frame_size*cam->num_frames))
+	    (start_offset > cam->frame_size*cam->num_frames -size))
 		return -EINVAL;
 
 	pos = ((unsigned long) (cam->frame_buffer)) + start_offset;