发布时间: 2024年10月12日
修改时间: 2024年10月14日
In the Linux kernel, the following vulnerability has been resolved:dma-buf: heaps: Fix off-by-one in CMA heap fault handlerUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 ( dma-buf: heaps:Don t track CMA dma-buf pages under RssFile ) it was possible to obtaina mapping larger than the buffer size via mremap and bypass the overflowcheck in dma_buf_mmap_internal. When using such a mapping to attempt tofault past the end of the buffer, the CMA heap fault handler also checksthe fault offset against the buffer size, but gets the boundary wrong by1. Fix the boundary check so that we don t read off the end of the pagesarray and insert an arbitrary page in the mapping.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | High | High |
| Attack Vector | Local | Local |
| CVSS评分 | 7.8 | 7.8 |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| Scope | Unchanged | Unchanged |
| Integrity | High | High |
| User Interaction | None | None |
| Availability | High | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-3916 | In the Linux kernel, the following vulnerability has been resolved:dma-buf: heaps: Fix off-by-one in CMA heap fault handlerUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 ( dma-buf: heaps:Don t track CMA dma-buf pages under RssFile ) it was possible to obtaina mapping larger than the buffer size via mremap and bypass the overflowcheck in dma_buf_mmap_internal. When using such a mapping to attempt tofault past the end of the buffer, the CMA heap fault handler also checksthe fault offset against the buffer size, but gets the boundary wrong by1. Fix the boundary check so that we don t read off the end of the pagesarray and insert an arbitrary page in the mapping. | 2024年10月12日 |
| KylinSec-SA-2024-4984 | kernel security update | 2025年7月30日 |
| 产品 | 包 | 状态 |
|---|---|---|
| V6 | kernel | Fixed |
