Bug 2137505 (CVE-2022-20369)

Summary: CVE-2022-20369 kernel: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, ddepaula, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jfaracco, jferlan, jforbes, jglisse, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, rvrbovsk, scweaver, steved, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in the Linux kernel’s UVC camera and similar device driver code due to improper input validation in the v4l2-mem2mem.c source code in how a user calls ioctl VIDIOC_QUERYBUF with mmap. This issue occurs if the capture buffer mapped directly from the userspace uses values from DQBUF, which returns an error. This flaw allows a local user to crash or escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-02 11:03:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2137511    
Bug Blocks: 2134647    

Description Alex 2022-10-25 09:46:18 UTC 
A flaw possible out of bounds write in the Linux kernel found. Due to improper input validation, in v4l2_m2m_querybuf of v4l2-mem2mem.c, out of bounds write could happen when user calls ioctl VIDIOC_QUERYBUF with mmap the capture buffer directly from userspace using values from DQBUF. As result, it can lead to local escalation of privilege. The user need to have system execution privileges to trigger this.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=8310ca94075e784bbb06593cd6c068ee6b6e4ca6
Comment 2 Alex 2022-10-25 09:59:49 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2137511]
Comment 5 Justin M. Forbes 2022-11-08 14:58:33 UTC 
This was fixed for Fedora with the 5.16.19 stable kernel updates.
Comment 6 Product Security DevOps Team 2022-12-02 11:03:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-20369