[PATCH] comedi: integer overflow in do_insnlist_ioctl()

Lars-Peter Clausen lars at metafoo.de
Wed Nov 23 21:41:07 UTC 2011


On 11/23/2011 05:06 PM, Ian Abbott wrote:
> On 2011-11-23 14:50, Dan Carpenter wrote:
>> On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
>>> Thanks for the pointer.  However you cannot do the overflow check using
>>>
>>>    if (sizeof(struct comedi_insn) * insnlist.n_insns < 
>>> insnlist.n_insns)
>>>
>>> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
>>> insnlist.n_insns = 0x7fffffff.
>>>
>>> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your
>>> check.
>>>
>>
>> Argh...  You're right, my check is wrong.  What I like about my patch
>> though is that it doesn't introduce an arbitrary limit.  Could you
>> redo your check without the MAX_INSNS?
> 
> Could use something like:
> 
>     if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
>         insns =
>             kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
>                 GFP_KERNEL);
>     if (!insns)
>         ...
> 
> (note that insns is initialized to NULL).
> 

Just use kcalloc, it will do the right thing for you.

- Lars



More information about the devel mailing list