Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 03056f8c authored by Lao Wei's avatar Lao Wei Committed by Greg Kroah-Hartman
Browse files

media: fix: media: pci: meye: validate offset to avoid arbitrary access 

[ Upstream commit eac7230fdb4672c2cb56f6a01a1744f562c01f80 ]

Motion eye video4linux driver for Sony Vaio PictureBook desn't validate user-controlled parameter
'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by trying
pass different arbitrary address.
Discussion: http://www.openwall.com/lists/oss-security/2018/07/06/1



Signed-off-by: default avatarLao Wei <zrlw@qq.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent fe384ab1

drivers/media/pci/meye/meye.c

+1 −1
Original line number Diff line number Diff line
@@ -1460,7 +1460,7 @@ static int meye_mmap(struct file *file, struct vm_area_struct *vma) 
	unsigned long page, pos;



	mutex_lock(&meye.lock);

	if (size > gbuffers * gbufsize) {

	if (size > gbuffers * gbufsize || offset > gbuffers * gbufsize - size) {

		mutex_unlock(&meye.lock);

		return -EINVAL;

	}