From: Xi Wang <xi.wang@xxxxxxxxx>
There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns. The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.
The bug was reported by Dan Carpenter <dan.carpenter@xxxxxxxxxx>
and Haogang Chen <haogangchen@xxxxxxxxx>. The patch was suggested by
Ian Abbott <abbotti@xxxxxxxxx> and Lars-Peter Clausen <lars@xxxxxxxxxx>.
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reported-by: Haogang Chen <haogangchen@xxxxxxxxx>.
Cc: Ian Abbott <abbotti@xxxxxxxxx>
Cc: Lars-Peter Clausen <lars@xxxxxxxxxx>
Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
drivers/staging/comedi/comedi_fops.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index ebdcecd..5e78c77 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
}
insns =
- kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
+ kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL);
if (!insns) {
DPRINTK("kmalloc failed\n");
ret = -ENOMEM;
--
1.7.7.3
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
