| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4ED00CCB.80604@gmail.com>
Date: Fri, 25 Nov 2011 16:46:51 -0500
From: Xi Wang <xi.wang@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
CC: "devel@...verdev.osuosl.org" <devel@...verdev.osuosl.org>,
Mori Hess <fmhess@...rs.sourceforge.net>,
"security@...nel.org" <security@...nel.org>,
Lars-Peter Clausen <lars@...afoo.de>,
Ian Abbott <ian.abbott@....co.uk>,
Lucas De Marchi <lucas.demarchi@...fusion.mobi>,
Greg Kroah-Hartman <gregkh@...e.de>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Ian Abbott <abbotti@....co.uk>,
Franky Lin <frankyl@...adcom.com>,
Greg Dietsche <gregory.dietsche@....edu>,
Mark Pearson <markpearson_de@...oo.de>
Subject: [PATCH v3] comedi: integer overflow in do_insnlist_ioctl()
There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns. The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.
The bug was reported by Dan Carpenter <dan.carpenter@...cle.com>
and Haogang Chen <haogangchen@...il.com>. The patch was suggested by
Ian Abbott <abbotti@....co.uk> and Lars-Peter Clausen <lars@...afoo.de>.
Signed-off-by: Xi Wang <xi.wang@...il.com>
---
drivers/staging/comedi/comedi_fops.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c
b/drivers/staging/comedi/comedi_fops.c
index 21d8c1c..7f7d79e 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
}
insns =
- kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
+ kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL);
if (!insns) {
DPRINTK("kmalloc failed\n");
ret = -ENOMEM;
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists