On Wed, Nov 30, 2011 at 09:25:21AM -0500, Xi Wang wrote:
> There are two potential integer overflows in private_ioctl() if
> userspace passes in a large sList.uItem / sNodeList.uItem. The
> subsequent call to kmalloc() would allocate a small buffer, leading
> to a memory corruption.
>
> Reported-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>
> Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
> ---
> drivers/staging/vt6656/ioctl.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c
> index 4939002..1463d76 100644
> --- a/drivers/staging/vt6656/ioctl.c
> +++ b/drivers/staging/vt6656/ioctl.c
> @@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
> result = -EFAULT;
> break;
> }
> + if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
It doesn't actually matter because sizeof(SBSSIDList) is just 4 but
normally you would do the math different.
if (sList.uItem > ULONG_MAX / sizeof(SBSSIDItem) - sizeof(SBSSIDList)) {
But both checks are low enough in this case.
> + result = -EINVAL;
> + break;
> + }
> pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
> if (pList == NULL) {
> result = -ENOMEM;
regards,
dan carpenter
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
