There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns. The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.
Reported-by: Haogang Chen <haogangchen@xxxxxxxxx>
Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Suggested-by: Ian Abbott <abbotti@xxxxxxxxx>
Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
---
drivers/staging/comedi/comedi_fops.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..df86a9e 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -670,8 +670,9 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
goto error;
}
- insns =
- kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
+ if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
+ insns = kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
+ GFP_KERNEL);
if (!insns) {
DPRINTK("kmalloc failed\n");
ret = -ENOMEM;
--
1.7.5.4
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
