[PATCH 2/2 v2] staging: vt6656: integer overflows in private_ioctl()
Dan Carpenter
dan.carpenter at oracle.com
Wed Nov 30 15:15:56 UTC 2011
On Wed, Nov 30, 2011 at 09:25:21AM -0500, Xi Wang wrote:
> There are two potential integer overflows in private_ioctl() if
> userspace passes in a large sList.uItem / sNodeList.uItem. The
> subsequent call to kmalloc() would allocate a small buffer, leading
> to a memory corruption.
>
> Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Signed-off-by: Xi Wang <xi.wang at gmail.com>
> ---
> drivers/staging/vt6656/ioctl.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c
> index 4939002..1463d76 100644
> --- a/drivers/staging/vt6656/ioctl.c
> +++ b/drivers/staging/vt6656/ioctl.c
> @@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
> result = -EFAULT;
> break;
> }
> + if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
It doesn't actually matter because sizeof(SBSSIDList) is just 4 but
normally you would do the math different.
if (sList.uItem > ULONG_MAX / sizeof(SBSSIDItem) - sizeof(SBSSIDList)) {
But both checks are low enough in this case.
> + result = -EINVAL;
> + break;
> + }
> pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
> if (pList == NULL) {
> result = -ENOMEM;
regards,
dan carpenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/attachments/20111130/f9719c89/attachment.asc>
More information about the devel
mailing list