On 2019/12/11 15:57, Greg KH wrote: > On Wed, Dec 11, 2019 at 10:47:58AM +0800, Zhiqiang Liu wrote: >> From: Weifeng Su <suweifeng1@xxxxxxxxxx> >> >> CVE-2019-18675: The Linux kernel through 5.3.13 has a start_offset+size >> IntegerOverflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c >> because cpia2 has its own mmap implementation. This allows local users >> (with /dev/video0 access) to obtain read and write permissions on kernel >> physical pages, which can possibly result in a privilege escalation. >> >> Here, we fix it through proper start_offset value check. >> >> CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-18675 >> Signed-off-by: Weifeng Su <suweifeng1@xxxxxxxxxx> >> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@xxxxxxxxxx> >> --- >> drivers/media/usb/cpia2/cpia2_core.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c >> index 20c50c2d042e..26ae7a5e3783 100644 >> --- a/drivers/media/usb/cpia2/cpia2_core.c >> +++ b/drivers/media/usb/cpia2/cpia2_core.c >> @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma) >> >> if (size > cam->frame_size*cam->num_frames || >> (start_offset % cam->frame_size) != 0 || >> - (start_offset+size > cam->frame_size*cam->num_frames)) >> + (start_offset > cam->frame_size*cam->num_frames - size)) > > I thought we discussed this already, and the checks in the core kernel > will prevent this from happening, right? > What did I miss? > Thanks for your reply. It is me who missed the discussion. Could you sent me the mails or links about the discussion? > Or was that research not correct? Can you really trigger this? If so, > we should fix the core kernel checks instead, and not rely on it being > in every individual driver. > > thanks, > Omer Shalev have given a example which can trigger the CVE. Example link: https://deshal3v.github.io/blog/kernel-research/mmap_exploitation > greg k-h > > . >
