diff options
| author | Lao Wei <zrlw@qq.com> | 2018-07-09 08:15:53 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-09-12 10:47:50 -0400 |
| commit | eac7230fdb4672c2cb56f6a01a1744f562c01f80 (patch) | |
| tree | e4ef1a15e1dc52ad6f141b19a5fdfc3d1ab9e20a /drivers/media/pci | |
| parent | 0af04934be0046ec056074edfb176f42a21da6f0 (diff) | |
| download | linux-eac7230fdb4672c2cb56f6a01a1744f562c01f80.tar.gz linux-eac7230fdb4672c2cb56f6a01a1744f562c01f80.tar.bz2 linux-eac7230fdb4672c2cb56f6a01a1744f562c01f80.zip | |
media: fix: media: pci: meye: validate offset to avoid arbitrary access
Motion eye video4linux driver for Sony Vaio PictureBook desn't validate user-controlled parameter
'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying
pass different arbitrary address.
Discussion: http://www.openwall.com/lists/oss-security/2018/07/06/1
Signed-off-by: Lao Wei <zrlw@qq.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/pci')
| -rw-r--r-- | drivers/media/pci/meye/meye.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/pci/meye/meye.c b/drivers/media/pci/meye/meye.c index 7285edcdd323..bd870e60c32b 100644 --- a/drivers/media/pci/meye/meye.c +++ b/drivers/media/pci/meye/meye.c @@ -1460,7 +1460,7 @@ static int meye_mmap(struct file *file, struct vm_area_struct *vma) unsigned long page, pos; mutex_lock(&meye.lock); - if (size > gbuffers * gbufsize) { + if (size > gbuffers * gbufsize || offset > gbuffers * gbufsize - size) { mutex_unlock(&meye.lock); return -EINVAL; } |