From: Weifeng Su <suweifeng1@xxxxxxxxxx> CVE-2019-18675: The Linux kernel through 5.3.13 has a start_offset+size IntegerOverflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation. Here, we fix it through proper start_offset value check. CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-18675 Signed-off-by: Weifeng Su <suweifeng1@xxxxxxxxxx> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx> --- drivers/media/usb/cpia2/cpia2_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c index 20c50c2d042e..26ae7a5e3783 100644 --- a/drivers/media/usb/cpia2/cpia2_core.c +++ b/drivers/media/usb/cpia2/cpia2_core.c @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma) if (size > cam->frame_size*cam->num_frames || (start_offset % cam->frame_size) != 0 || - (start_offset+size > cam->frame_size*cam->num_frames)) + (start_offset > cam->frame_size*cam->num_frames - size)) return -EINVAL; pos = ((unsigned long) (cam->frame_buffer)) + start_offset; -- 2.24.0.windows.2
