oss-sec mailing list archives

Re: Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook

From: Greg KH <greg () kroah com>
Date: Wed, 11 Jul 2018 13:04:17 +0200

On Wed, Jul 11, 2018 at 10:15:34AM +0800, zrlw () sina com wrote:

i think commit be83bbf80682 maybe has a problem:
 if file_mmap_size_max return 0 (not regular, not block, fmode &
FMODE_UNSIGNED_OFFSET == true) , maxsize will be set to -len, correct? 

+static inline bool file_mmap_ok(struct file *file, struct inode *inode,
+ unsigned long pgoff, unsigned long len)
+{
+ u64 maxsize = file_mmap_size_max(file, inode);
+
+ if (maxsize && len > maxsize)
+ return false;
+ maxsize -= len;                                         <==  maxsize = -len
when file_mmap_size_max return 0 
+ if (pgoff > maxsize >> PAGE_SHIFT)
+ return false;
+ return true;
+}


Yes, that is correct, that means that the file size is very big and
allowed to use unsigned values.  Very few device nodes allow this, but
some need to.

Do you see a problem with this for the driver you are looking at?

thanks,

greg k-h

Current thread:

mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 06)
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 06)
  - Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Solar Designer (Jul 06)
- <Possible follow-ups>
- Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 06)
  - Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 10)
    - Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 11)
    - Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook zrlw (Jul 11)
    - Re: Re: mmap vulnerability in motion eye video4linux driver for Sony Vaio PictureBook Greg KH (Jul 11)