Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

[<zrlw () sina com>]

I  sent a email to the original authors which i found in the head of meye.c, but i don't receive any response util now. 
I don't think   commit be83bbf80682  will work on this case, this driver derived from v4l2-core which not use inode,  
maybe i'm wrong.  
----- Original Message -----
From: Solar Designer <solar () openwall com>
To: oss-security () lists openwall com
Cc: zrlw () sina com
Subject: Re: [oss-security] mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook
Date: 2018-07-06 22:54


On Fri, Jul 06, 2018 at 03:26:55PM +0200, Greg KH wrote:
> On Fri, Jul 06, 2018 at 08:35:43PM +0800, zrlw () sina com wrote:
> > Hi all,i found a vulnerability in motion eye video4linux driver for Sony Vaio PictureBook,it desn't validate 
> > user-controlled parameter 'vma->vm_pgoff', a malicious process might access all of kernel memory from user space by 
> > trying pass different arbitrary address.
> > /usr/src/linux-4.4.21-69/drivers/media/pci/meye/meye.c:
> > static int meye_mmap(struct file *file, struct vm_area_struct *vma)
> > ...        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
> > ...        pos = (unsigned long)meye.grab_fbuffer + offset;
> >         while (size > 0) {
> >                 page = vmalloc_to_pfn((void *)pos);
> >                 if (remap_pfn_range(vma, start, page, PAGE_SIZE, PAGE_SHARED)) {...
>
> Commit:
>       be83bbf80682 ("mmap: introduce sane default mmap limits")
> which was backported to all stable kernels, should have resolved this
> problem, correct?
>
> If not, please notify the media driver maintainers and they will be glad
> to fix the problem.
I think zrlw () sina com is not subscribed, so CC'ing.
I wonder if it's also possible to cause integer overflow on "(unsigned
long)meye.grab_fbuffer + offset", bringing pos below meye.grab_fbuffer,
and what the impact of that would be.
Alexander