UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

Staging: comedi: fix integer overflow in do_insnlist_ioctl() 

There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns.  The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Haogang Chen <haogangchen@gmail.com>.
Cc: Ian Abbott <abbotti@mev.co.uk>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Xi Wang 2011-11-25 16:46:51 -05:00 committed by Greg Kroah-Hartman
parent 06b446c8af
commit dfd8ee92a9
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/staging/comedi/comedi_fops.c
View File

@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
}
insns =
kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL);
if (!insns) {
DPRINTK("kmalloc failed\n");
ret = -ENOMEM;