lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <5C0D372F-F03E-4EB8-8440-83A8D1C95363@gmail.com>
Date:	Tue, 22 Nov 2011 19:49:29 -0500
From:	Xi Wang <xi.wang@...il.com>
To:	linux-kernel@...r.kernel.org
Cc:	Ian Abbott <abbotti@....co.uk>,
	Mori Hess <fmhess@...rs.sourceforge.net>,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Mark Pearson <markpearson_de@...oo.de>,
	Lucas De Marchi <lucas.demarchi@...fusion.mobi>,
	Greg Dietsche <Gregory.Dietsche@....edu>,
	Franky Lin <frankyl@...adcom.com>, devel@...verdev.osuosl.org,
	security@...nel.org
Subject: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns.  The call to kmalloc() would allocate a small buffer, which would result in a memory corruption.

Reported-by: Haogang Chen <haogangchen@...il.com>
Signed-off-by: Xi Wang <xi.wang@...il.com>
---
 drivers/staging/comedi/comedi_fops.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..66bb49d 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -650,6 +650,7 @@ static int parse_insn(struct comedi_device *dev, struct comedi_insn *insn,
  *		data (for reads)
  */
 /* arbitrary limits */
+#define MAX_INSNS   256
 #define MAX_SAMPLES 256
 static int do_insnlist_ioctl(struct comedi_device *dev,
 			     struct comedi_insnlist __user *arg, void *file)
@@ -663,6 +664,12 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
 	if (copy_from_user(&insnlist, arg, sizeof(struct comedi_insnlist)))
 		return -EFAULT;
 
+	if (insnlist.n_insns > MAX_INSNS) {
+		DPRINTK("invalid number of instructions\n");
+		ret = -EINVAL;
+		goto error;
+	}
+
 	data = kmalloc(sizeof(unsigned int) * MAX_SAMPLES, GFP_KERNEL);
 	if (!data) {
 		DPRINTK("kmalloc failed\n");
-- 
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ