Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

[Solar Designer <solar () openwall com>]

On Fri, Jul 06, 2018 at 03:26:55PM +0200, Greg KH wrote:
> On Fri, Jul 06, 2018 at 08:35:43PM +0800, zrlw () sina com wrote:
> > Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate 
> > user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by 
> > trying pass different arbitrary address.
> > /usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c:
> > static int meye_mmap(struct file *file, struct vm_area_struct *vma)
> > ...        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> > ...        pos = (unsigned long)meye.grab_fbuffer + offset;
> >         while (size > 0) {
> >                 page = vmalloc_to_pfn((void *)pos);
> >                 if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...
>
> Commit:
>       be83bbf80682 ("mmap: introduce sane default mmap limits")
> which was backported to all stable kernels, should have resolved this
> problem, correct?
>
> If not, please notify the media driver maintainers and they will be glad
> to fix the problem.

I think zrlw () sina com is not subscribed, so CC'ing.

I wonder if it's also possible to cause integer overflow on "(unsigned
long)meye.grab_fbuffer + offset", bringing pos below meye.grab_fbuffer,
and what the impact of that would be.

Alexander