* [PATCH v1] media: pci: meye: validate offset to avoid arbitrary access
@ 2018-07-09 11:52 Lao Wei
0 siblings, 0 replies; only message in thread
From: Lao Wei @ 2018-07-09 11:52 UTC (permalink / raw)
To: linux-media; +Cc: mchehab, zrlw, Lao Wei
From: Lao Wei <zrlw@sina.com>
Motion eye video4linux driver for Sony Vaio PictureBook desn't validate
user-controlled parameter 'vma->vm_pgoff', a malicious process might
access all of kernel memory from user space by trying pass different
arbitrary address.
Discussion: http://www.openwall.com/lists/oss-security/2018/07/06/1
Signed-off-by: Lao Wei <zrlw@sina.com>
---
drivers/media/pci/meye/meye.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/pci/meye/meye.c b/drivers/media/pci/meye/meye.c
index 8001d3e..db2a7ad 100644
--- a/drivers/media/pci/meye/meye.c
+++ b/drivers/media/pci/meye/meye.c
@@ -1460,7 +1460,7 @@ static int meye_mmap(struct file *file, struct vm_area_struct *vma)
unsigned long page, pos;
mutex_lock(&meye.lock);
- if (size > gbuffers * gbufsize) {
+ if (size > gbuffers * gbufsize || offset > gbuffers * gbufsize - size) {
mutex_unlock(&meye.lock);
return -EINVAL;
}
--
1.8.5.6
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-07-09 11:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-09 11:52 [PATCH v1] media: pci: meye: validate offset to avoid arbitrary access Lao Wei
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.