oss-sec mailing list archives
mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook
From: <zrlw () sina com>
Date: Fri, 06 Jul 2018 20:35:43 +0800
Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying pass different arbitrary address. /usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c: static int meye_mmap(struct file *file, struct vm_area_struct *vma) ... unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; ... pos = (unsigned long)meye.grab_fbuffer + offset; while (size > 0) { page = vmalloc_to_pfn((void *)pos); if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...
Current thread:
- mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Solar Designer (Jul 06)
- <Possible follow-ups>
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 06)