git.openpandora.org / pandora-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6a9ce6b)
Staging: comedi: integer overflow in do_insnlist_ioctl()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 4 Nov 2011 18:20:43 +0000 (21:20 +0300)
committerGreg Kroah-Hartman <gregkh@suse.de>
Sun, 27 Nov 2011 02:34:15 +0000 (18:34 -0800)
There is an integer overflow here that could cause memory corruption
on 32 bit systems.

insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected.  In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/comedi/comedi_fops.c patch | blob | history

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index ebdcecd..ed4853f 100644 (file)
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -670,6 +670,11 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
                goto error;
        }
 
+       if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
+               ret = -EINVAL;
+               goto error;
+       }
+
        insns =
            kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
        if (!insns) {
Pandora Kernel Repository