From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 4 Nov 2011 18:24:08 +0000 (+0300)
Subject: xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()
X-Git-Tag: v3.2-rc3~38^2~1
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21643e69a4c06f7ef155fbc70e3fba13fba4a756;p=pandora-kernel.git

xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()

On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---

Reading git-diff-tree failed