摘要:
In the Linux kernel, the following vulnerability has been resolved:dma-buf: heaps: Fix off-by-one in CMA heap fault handlerUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 ( dma-buf: heaps:Don t track CMA dma-buf pages under RssFile ) it was possible to obtaina mapping larger than the buffer size via mremap and bypass the overflowcheck in dma_buf_mmap_internal. When using such a mapping to attempt tofault past the end of the buffer, the CMA heap fault handler also checksthe fault offset against the buffer size, but gets the boundary wrong by1. Fix the boundary check so that we don t read off the end of the pagesarray and insert an arbitrary page in the mapping.
安全等级: Low
公告ID: KylinSec-SA-2024-3916
发布日期: 2024年10月12日
关联CVE: CVE-2024-46852
In the Linux kernel, the following vulnerability has been resolved:dma-buf: heaps: Fix off-by-one in CMA heap fault handlerUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 ( dma-buf: heaps:Don t track CMA dma-buf pages under RssFile ) it was possible to obtaina mapping larger than the buffer size via mremap and bypass the overflowcheck in dma_buf_mmap_internal. When using such a mapping to attempt tofault past the end of the buffer, the CMA heap fault handler also checksthe fault offset against the buffer size, but gets the boundary wrong by1. Fix the boundary check so that we don t read off the end of the pagesarray and insert an arbitrary page in the mapping.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|
