From: Greg KH <gregkh@linuxfoundation.org>
To: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Cc: tglx@linutronix.de, crope@iki.fi, linux-media@vger.kernel.org,
rfontana@redhat.com, erik.andren@gmail.com, hverkuil@xs4all.nl,
brijohn@gmail.com, lcostantino@gmail.com, suweifeng1@huawei.com,
Mingfangsen <mingfangsen@huawei.com>,
guiyao@huawei.com
Subject: Re: [PATCH] media: usb/cpia2: fix start_offset+size Integer Overflow in, cpia2_remap_buffer
Date: Wed, 11 Dec 2019 08:57:45 +0100 [thread overview]
Message-ID: <20191211075745.GA403571@kroah.com> (raw)
In-Reply-To: <83ed0748-634d-4146-d216-53681bc3b553@huawei.com>
On Wed, Dec 11, 2019 at 10:47:58AM +0800, Zhiqiang Liu wrote:
> From: Weifeng Su <suweifeng1@huawei.com>
>
> CVE-2019-18675: The Linux kernel through 5.3.13 has a start_offset+size
> IntegerOverflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c
> because cpia2 has its own mmap implementation. This allows local users
> (with /dev/video0 access) to obtain read and write permissions on kernel
> physical pages, which can possibly result in a privilege escalation.
>
> Here, we fix it through proper start_offset value check.
>
> CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-18675
> Signed-off-by: Weifeng Su <suweifeng1@huawei.com>
> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
> ---
> drivers/media/usb/cpia2/cpia2_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
> index 20c50c2d042e..26ae7a5e3783 100644
> --- a/drivers/media/usb/cpia2/cpia2_core.c
> +++ b/drivers/media/usb/cpia2/cpia2_core.c
> @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma)
>
> if (size > cam->frame_size*cam->num_frames ||
> (start_offset % cam->frame_size) != 0 ||
> - (start_offset+size > cam->frame_size*cam->num_frames))
> + (start_offset > cam->frame_size*cam->num_frames - size))
I thought we discussed this already, and the checks in the core kernel
will prevent this from happening, right?
What did I miss?
Or was that research not correct? Can you really trigger this? If so,
we should fix the core kernel checks instead, and not rely on it being
in every individual driver.
thanks,
greg k-h
next prev parent reply other threads:[~2019-12-11 7:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-11 2:47 [PATCH] media: usb/cpia2: fix start_offset+size Integer Overflow in, cpia2_remap_buffer Zhiqiang Liu
2019-12-11 7:57 ` Greg KH [this message]
2019-12-12 1:48 ` Zhiqiang Liu
2019-12-12 7:47 ` Greg KH
2019-12-12 9:40 ` Zhiqiang Liu
2019-12-12 10:01 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191211075745.GA403571@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=brijohn@gmail.com \
--cc=crope@iki.fi \
--cc=erik.andren@gmail.com \
--cc=guiyao@huawei.com \
--cc=hverkuil@xs4all.nl \
--cc=lcostantino@gmail.com \
--cc=linux-media@vger.kernel.org \
--cc=liuzhiqiang26@huawei.com \
--cc=mingfangsen@huawei.com \
--cc=rfontana@redhat.com \
--cc=suweifeng1@huawei.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox