lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <FD2BDBE06AC58549AE9E16C08B45675D061FCB70@BBY1EXM10.pmc_nt.nt.pmc-sierra.bc.ca>
Date:	Thu, 1 Dec 2011 02:07:33 -0800
From:	"Achim Leubner" <Achim_Leubner@...-sierra.com>
To:	"Haogang Chen" <haogangchen@...il.com>, <aacraid@...ptec.com>
Cc:	<JBottomley@...allels.com>, <linux-scsi@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] SCSI: aacraid: potential integer overflow in aac_get_containers()

Acked-by: Achim Leubner <Achim_Leubner@...-sierra.com>


-----Original Message-----
From: linux-scsi-owner@...r.kernel.org
[mailto:linux-scsi-owner@...r.kernel.org] On Behalf Of Haogang Chen
Sent: Donnerstag, 1. Dezember 2011 03:30
To: aacraid@...ptec.com
Cc: JBottomley@...allels.com; linux-scsi@...r.kernel.org;
linux-kernel@...r.kernel.org; haogangchen@...il.com
Subject: [PATCH] SCSI: aacraid: potential integer overflow in
aac_get_containers()

There is a potential integer overflow in aac_get_containers(). When
maximum_num_containers is large, the subsequent call to kzalloc() will
allocate a buffer smaller than expected, which leads to memory
corruption in the for loop.

The patch replaces kzalloc with kcalloc.

Signed-off-by: Haogang Chen <haogangchen@...il.com>
---
 drivers/scsi/aacraid/aachba.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/aacraid/aachba.c
b/drivers/scsi/aacraid/aachba.c
index 409f580..440b84d 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -381,7 +381,7 @@ int aac_get_containers(struct aac_dev *dev)
 
 	if (maximum_num_containers < MAXIMUM_NUM_CONTAINERS)
 		maximum_num_containers = MAXIMUM_NUM_CONTAINERS;
-	fsa_dev_ptr = kzalloc(sizeof(*fsa_dev_ptr) *
maximum_num_containers,
+	fsa_dev_ptr = kcalloc(maximum_num_containers,
sizeof(*fsa_dev_ptr), 
 			GFP_KERNEL);
 	if (!fsa_dev_ptr)
 		return -ENOMEM;
-- 
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ