All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/2] staging: vc04_services: vc-sm-cma: fix security issues in clean_invalid2 ioctl
@ 2026-03-29  6:18 Sebastian Josue Alba Vives
  2026-03-29  6:18 ` [PATCH 1/2] staging: vc04_services: vc-sm-cma: fix integer overflow in vc_sm_cma_clean_invalid2() Sebastian Josue Alba Vives
  2026-03-29  6:18 ` [PATCH 2/2] staging: vc04_services: vc-sm-cma: add address validation in clean_invalid_contig_2d() Sebastian Josue Alba Vives
  0 siblings, 2 replies; 7+ messages in thread
From: Sebastian Josue Alba Vives @ 2026-03-29  6:18 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Florian Fainelli
  Cc: bcm-kernel-feedback-list, linux-staging, linux-rpi-kernel,
	linux-arm-kernel, Dave Stevenson, kernel-list,
	Sebastián Alba Vives

This series fixes two security issues in the VideoCore shared memory CMA
driver (vc-sm-cma), accessible via /dev/vc-sm-cma which is created with
mode 0666 (world-accessible, no authentication required).

Both bugs are in vc_sm_cma_clean_invalid2(), reachable via the
VC_SM_CMA_CMD_CLEAN_INVALID2 ioctl on 32-bit ARM kernels.

Patch 1: Integer overflow in kmalloc size computation
Patch 2: Missing address validation in cache maintenance operations

Both issues affect 32-bit Raspberry Pi kernels (RPi 1/2/3/Zero and
32-bit RPi 4/5 configurations) running the rpi-6.6.y kernel series.

Both issues were found through manual source code auditing.

I would like to request separate CVE assignments for each patch as they
are independent vulnerabilities.

Reported-by: Sebastián Alba Vives <sebasjosue84@gmail.com>



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-03-29 12:35 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-29  6:18 [PATCH 0/2] staging: vc04_services: vc-sm-cma: fix security issues in clean_invalid2 ioctl Sebastian Josue Alba Vives
2026-03-29  6:18 ` [PATCH 1/2] staging: vc04_services: vc-sm-cma: fix integer overflow in vc_sm_cma_clean_invalid2() Sebastian Josue Alba Vives
2026-03-29  6:33   ` Greg Kroah-Hartman
2026-03-29  7:04     ` Sebastián Alba
2026-03-29  7:31       ` Greg Kroah-Hartman
     [not found]       ` <CAMEGJJ0zgab3WN=rb2o+UgEq_coX5LnkyPj3UNrBSMQbTGU7Zw@mail.gmail.com>
2026-03-29 12:35         ` Sebastián Alba
2026-03-29  6:18 ` [PATCH 2/2] staging: vc04_services: vc-sm-cma: add address validation in clean_invalid_contig_2d() Sebastian Josue Alba Vives

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.