There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns. The call to kmalloc() would allocate a small buffer, which would result in a memory corruption.
Reported-by: Haogang Chen <[email protected]> Signed-off-by: Xi Wang <[email protected]> --- drivers/staging/comedi/comedi_fops.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 21d8c1c..66bb49d 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -650,6 +650,7 @@ static int parse_insn(struct comedi_device *dev, struct comedi_insn *insn, * data (for reads) */ /* arbitrary limits */ +#define MAX_INSNS 256 #define MAX_SAMPLES 256 static int do_insnlist_ioctl(struct comedi_device *dev, struct comedi_insnlist __user *arg, void *file) @@ -663,6 +664,12 @@ static int do_insnlist_ioctl(struct comedi_device *dev, if (copy_from_user(&insnlist, arg, sizeof(struct comedi_insnlist))) return -EFAULT; + if (insnlist.n_insns > MAX_INSNS) { + DPRINTK("invalid number of instructions\n"); + ret = -EINVAL; + goto error; + } + data = kmalloc(sizeof(unsigned int) * MAX_SAMPLES, GFP_KERNEL); if (!data) { DPRINTK("kmalloc failed\n"); -- 1.7.5.4 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
