If m.num is too large then the "m.num * sizeof(*m.arr)" multiplication could overflow and the access_ok() check wouldn't test the right size. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- Only needed in linux-next. diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c index 215a3c0..fdff8f9 100644 --- a/drivers/xen/privcmd.c +++ b/drivers/xen/privcmd.c @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) return -EFAULT; /* Returns per-frame error in m.arr. */ m.err = NULL; + if (m.num > SIZE_MAX / sizeof(*m.arr)) + return -EINVAL; if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) return -EFAULT; break; @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2))) return -EFAULT; /* Returns per-frame error code in m.err. */ + if (m.num > SIZE_MAX / sizeof(*m.err)) + return -EINVAL; if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err)))) return -EFAULT; break; -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html