blob: 545e12d1c9bd3ca77c2016d6f9c59e3c50df6616 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Description: integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c
References:
https://deshal3v.github.io/blog/kernel-research/mmap_exploitation
https://lore.kernel.org/lkml/20200108161619.7999-1-tiwai@suse.de/
https://lore.kernel.org/lkml/20191111114615.GA418224@kroah.com/
Notes:
bwh> Introduced in 2.6.17 by commit ab33d5071de7 "V4L/DVB (3376): Add cpia2
bwh> camera support". The general issue has already beedn fixed by commit
bwh> be83bbf80682 "mmap: introduce sane default mmap limits" which went into
bwh> 4.17 and was backported to all live stable branches.
Bugs:
upstream: released (4.17-rc5) [be83bbf806822b1b89e0a0f23cd87cddc409e429]
4.19-upstream-stable: N/A "Fixed before branch point"
4.9-upstream-stable: released (4.9.108) [7a40374c34e8c25062b0d7e2d2152ff8b7af1274]
3.16-upstream-stable: released (3.16.60) [72d8a061cbfbee3a357d38ef80688df9e878de43]
sid: released (4.16.16-1)
4.19-buster-security: N/A "Fixed before branch point"
4.9-stretch-security: released (4.9.110-1)
3.16-jessie-security: released (3.16.64-1)
|