On Wed, Dec 11, 2019 at 10:47:58AM +0800, Zhiqiang Liu wrote: > From: Weifeng Su <suweifeng1@xxxxxxxxxx> > > CVE-2019-18675: The Linux kernel through 5.3.13 has a start_offset+size > IntegerOverflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c > because cpia2 has its own mmap implementation. This allows local users > (with /dev/video0 access) to obtain read and write permissions on kernel > physical pages, which can possibly result in a privilege escalation. > > Here, we fix it through proper start_offset value check. > > CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-18675 > Signed-off-by: Weifeng Su <suweifeng1@xxxxxxxxxx> > Reviewed-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx> > --- > drivers/media/usb/cpia2/cpia2_core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c > index 20c50c2d042e..26ae7a5e3783 100644 > --- a/drivers/media/usb/cpia2/cpia2_core.c > +++ b/drivers/media/usb/cpia2/cpia2_core.c > @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma) > > if (size > cam->frame_size*cam->num_frames || > (start_offset % cam->frame_size) != 0 || > - (start_offset+size > cam->frame_size*cam->num_frames)) > + (start_offset > cam->frame_size*cam->num_frames - size)) I thought we discussed this already, and the checks in the core kernel will prevent this from happening, right? What did I miss? Or was that research not correct? Can you really trigger this? If so, we should fix the core kernel checks instead, and not rely on it being in every individual driver. thanks, greg k-h