From: Xi Wang <[email protected]> There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns. The call to kmalloc() would allocate a small buffer, leading to a memory corruption.
The bug was reported by Dan Carpenter <[email protected]> and Haogang Chen <[email protected]>. The patch was suggested by Ian Abbott <[email protected]> and Lars-Peter Clausen <[email protected]>. Reported-by: Dan Carpenter <[email protected]> Reported-by: Haogang Chen <[email protected]>. Cc: Ian Abbott <[email protected]> Cc: Lars-Peter Clausen <[email protected]> Signed-off-by: Xi Wang <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- drivers/staging/comedi/comedi_fops.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index ebdcecd..5e78c77 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } insns = - kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL); + kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL); if (!insns) { DPRINTK("kmalloc failed\n"); ret = -ENOMEM; -- 1.7.7.3 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
