From patchwork Wed Dec 11 02:47:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhiqiang Liu X-Patchwork-Id: 60602 X-Patchwork-Delegate: hverkuil@xs4all.nl Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from ) id 1ies2d-0083T3-3J; Wed, 11 Dec 2019 02:47:55 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727302AbfLKCsL (ORCPT + 1 other); Tue, 10 Dec 2019 21:48:11 -0500 Received: from szxga07-in.huawei.com ([45.249.212.35]:33134 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726974AbfLKCsL (ORCPT ); Tue, 10 Dec 2019 21:48:11 -0500 Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 7A8A34A84162F91C0B49; Wed, 11 Dec 2019 10:48:09 +0800 (CST) Received: from [127.0.0.1] (10.173.220.183) by DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server id 14.3.439.0; Wed, 11 Dec 2019 10:47:59 +0800 To: , , , , , , , , , , CC: Mingfangsen , From: Zhiqiang Liu Subject: [PATCH] media: usb/cpia2: fix start_offset+size Integer Overflow in, cpia2_remap_buffer Message-ID: <83ed0748-634d-4146-d216-53681bc3b553@huawei.com> Date: Wed, 11 Dec 2019 10:47:58 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Language: en-US X-Originating-IP: [10.173.220.183] X-CFilter-Loop: Reflected Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org From: Weifeng Su CVE-2019-18675: The Linux kernel through 5.3.13 has a start_offset+size IntegerOverflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation. Here, we fix it through proper start_offset value check. CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-18675 Signed-off-by: Weifeng Su Reviewed-by: Zhiqiang Liu --- drivers/media/usb/cpia2/cpia2_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c index 20c50c2d042e..26ae7a5e3783 100644 --- a/drivers/media/usb/cpia2/cpia2_core.c +++ b/drivers/media/usb/cpia2/cpia2_core.c @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma) if (size > cam->frame_size*cam->num_frames || (start_offset % cam->frame_size) != 0 || - (start_offset+size > cam->frame_size*cam->num_frames)) + (start_offset > cam->frame_size*cam->num_frames - size)) return -EINVAL; pos = ((unsigned long) (cam->frame_buffer)) + start_offset;