[PATCH 0/2] staging: vc04_services: vc-sm-cma: fix security issues in clean_invalid2 ioctl

[Sebastian Josue Alba Vives]

This series fixes two security issues in the VideoCore shared memory CMA
driver (vc-sm-cma), accessible via /dev/vc-sm-cma which is created with
mode 0666 (world-accessible, no authentication required).

Both bugs are in vc_sm_cma_clean_invalid2(), reachable via the
VC_SM_CMA_CMD_CLEAN_INVALID2 ioctl on 32-bit ARM kernels.

Patch 1: Integer overflow in kmalloc size computation
Patch 2: Missing address validation in cache maintenance operations

Both issues affect 32-bit Raspberry Pi kernels (RPi 1/2/3/Zero and
32-bit RPi 4/5 configurations) running the rpi-6.6.y kernel series.

Both issues were found through manual source code auditing.

I would like to request separate CVE assignments for each patch as they
are independent vulnerabilities.

Reported-by: Sebastián Alba Vives <sebasjosue84 at gmail.com>