* [patch] Staging: comedi: integer overflow in do_insnlist_ioctl()
@ 2011-11-04 18:20 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2011-11-04 18:20 UTC (permalink / raw)
To: kernel-janitors
There is an integer overflow here that could cause memory corruption
on 32 bit systems.
insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected. In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..3b4017f 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -670,6 +670,11 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
goto error;
}
+ if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
+ ret = -EINVAL;
+ goto error;
+ }
+
insns kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
if (!insns) {
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2011-11-04 18:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-04 18:20 [patch] Staging: comedi: integer overflow in do_insnlist_ioctl() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox