The offset and size checks in cpia2_regmap_buffer() may ignore the integer overflow and allow local users to obtain the access to the kernel physical pages. Fix it by modifying the check more carefully; the size value is already checked beforehand and guaranteed to be smaller than cam->frame_size*num_frames, so it's safe to subtract in the right hand side. This covers CVE-2019-18675. Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> --- I'm submitting this since there hasn't been any action seen for this bug over a month. Let me know if there is already a fix. Thanks. drivers/media/usb/cpia2/cpia2_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c index 20c50c2d042e..26ae7a5e3783 100644 --- a/drivers/media/usb/cpia2/cpia2_core.c +++ b/drivers/media/usb/cpia2/cpia2_core.c @@ -2401,7 +2401,7 @@ int cpia2_remap_buffer(struct camera_data *cam, struct vm_area_struct *vma) if (size > cam->frame_size*cam->num_frames || (start_offset % cam->frame_size) != 0 || - (start_offset+size > cam->frame_size*cam->num_frames)) + (start_offset > cam->frame_size*cam->num_frames - size)) return -EINVAL; pos = ((unsigned long) (cam->frame_buffer)) + start_offset; -- 2.16.4
