[PATCH 2/2 v2] staging: vt6656: integer overflows in private_ioctl()

Dan Carpenter dan.carpenter at oracle.com
Wed Nov 30 15:15:56 UTC 2011


On Wed, Nov 30, 2011 at 09:25:21AM -0500, Xi Wang wrote:
> There are two potential integer overflows in private_ioctl() if
> userspace passes in a large sList.uItem / sNodeList.uItem.  The
> subsequent call to kmalloc() would allocate a small buffer, leading
> to a memory corruption.
> 
> Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Signed-off-by: Xi Wang <xi.wang at gmail.com>
> ---
>  drivers/staging/vt6656/ioctl.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c
> index 4939002..1463d76 100644
> --- a/drivers/staging/vt6656/ioctl.c
> +++ b/drivers/staging/vt6656/ioctl.c
> @@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
>  			result = -EFAULT;
>  			break;
>  		}
> +		if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {

It doesn't actually matter because sizeof(SBSSIDList) is just 4 but
normally you would do the math different.

		if (sList.uItem > ULONG_MAX / sizeof(SBSSIDItem) - sizeof(SBSSIDList)) {

But both checks are low enough in this case.

> +			result = -EINVAL;
> +			break;
> +		}
>  		pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
>  		if (pList == NULL) {
>  			result = -ENOMEM;

regards,
dan carpenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/attachments/20111130/f9719c89/attachment.asc>


More information about the devel mailing list