oss-sec mailing list archives
Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook
From: <zrlw () sina com>
Date: Wed, 11 Jul 2018 10:15:34 +0800
i think commit be83bbf80682 maybe has a problem: if file_mmap_size_max return 0 (not regular, not block, fmode & FMODE_UNSIGNED_OFFSET == true) , maxsize will be set to -len, correct? +static inline bool file_mmap_ok(struct file *file, struct inode *inode, + unsigned long pgoff, unsigned long len) +{ + u64 maxsize = file_mmap_size_max(file, inode); + + if (maxsize && len > maxsize) + return false; + maxsize -= len; <== maxsize = -len when file_mmap_size_max return 0 + if (pgoff > maxsize >> PAGE_SHIFT) + return false; + return true; +} +
Current thread:
- mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Solar Designer (Jul 06)
- <Possible follow-ups>
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 10)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 11)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 11)
- Re: Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 11)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 10)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 06)