From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E717C282DD for ; Fri, 10 Jan 2020 14:08:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E512020721 for ; Fri, 10 Jan 2020 14:07:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728069AbgAJOH7 (ORCPT ); Fri, 10 Jan 2020 09:07:59 -0500 Received: from mx2.suse.de ([195.135.220.15]:38280 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727781AbgAJOH6 (ORCPT ); Fri, 10 Jan 2020 09:07:58 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 120BCB05D; Fri, 10 Jan 2020 14:07:57 +0000 (UTC) Date: Fri, 10 Jan 2020 15:07:57 +0100 Message-ID: From: Takashi Iwai To: Hans Verkuil Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] media: cpia2: Fix integer overflow in mmap handling In-Reply-To: <7d972b26-fea6-db75-ff07-c5bfaf98e5d2@xs4all.nl> References: <20200108161619.7999-1-tiwai@suse.de> <7d972b26-fea6-db75-ff07-c5bfaf98e5d2@xs4all.nl> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 10 Jan 2020 15:02:32 +0100, Hans Verkuil wrote: > > Hi Takashi, > > On 1/8/20 5:16 PM, Takashi Iwai wrote: > > The offset and size checks in cpia2_regmap_buffer() may ignore the > > integer overflow and allow local users to obtain the access to the > > kernel physical pages. > > > > Fix it by modifying the check more carefully; the size value is > > already checked beforehand and guaranteed to be smaller than > > cam->frame_size*num_frames, so it's safe to subtract in the right > > hand side. > > > > This covers CVE-2019-18675. > > > > Cc: > > Signed-off-by: Takashi Iwai > > --- > > > > I'm submitting this since there hasn't been any action seen for this > > bug over a month. Let me know if there is already a fix. Thanks. > > Read the full mail thread for the original patches: > > https://patchwork.linuxtv.org/patch/60602/ > https://patchwork.linuxtv.org/patch/59978/ > > The second has the reference to the kernel core mmap commit that prevents this > from being exploited. > > Rejecting this patch for that reason. > > Since this is the third time this patch pops up, I am wondering if I shouldn't > accept it anyway just to stop this. But then I want a better commit log that > points to the core commit as the *real* fix. > > There is nothing wrong as such with this patch, so if someone cares to post > a new version that refers to the core commit, I'll likely accept it. Thanks for clarification! I see that it's no need for patching. Then could you give some information updates to those CVE entries? The entries still appear as if it's no fix available yet in upstream. Takashi