oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

From: <zrlw () sina com>
Date: Fri, 06 Jul 2018 20:35:43 +0800
Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate 
user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by 
trying pass different arbitrary address.
/usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c:
static int meye_mmap(struct file *file, struct vm_area_struct *vma)
...        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
...        pos = (unsigned long)meye.grab_fbuffer + offset;
        while (size > 0) {
                page = vmalloc_to_pfn((void *)pos);
                if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...
Previous By Date Next
Previous By Thread Next

Current thread: