File: drivers/gpu/drm/udl/udl_fb.c
Function: udl_fb_mmap

There is an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (i.e. Local Privilege Escalation - LPE).

Code snippet:

static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
    unsigned long start = vma->vm_start;
    unsigned long size = vma->vm_end - vma->vm_start;
    unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
    unsigned long page, pos;

    // EI: offset + size can IOF to pass the size limits
    // EI: 1) offset = 2 ** 64 - info->fix.smem_start + <wanted address>
    // EI: 2) size   = wanted size (can be used to reach the wanted address)
    // EI: We can map lower physical pages to the user
    if (offset + size > info->fix.smem_len)
        return -EINVAL;

    pos = (unsigned long)info->fix.smem_start + offset;