From: Xi Wang Date: Fri, 25 Nov 2011 21:46:51 +0000 (-0500) Subject: Staging: comedi: fix integer overflow in do_insnlist_ioctl() X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=dfd8ee92a9192d78aa38cf8699df3630a7c88c85;p=linux-beck.git Staging: comedi: fix integer overflow in do_insnlist_ioctl() There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns. The call to kmalloc() would allocate a small buffer, leading to a memory corruption. The bug was reported by Dan Carpenter and Haogang Chen . The patch was suggested by Ian Abbott and Lars-Peter Clausen . Reported-by: Dan Carpenter Reported-by: Haogang Chen . Cc: Ian Abbott Cc: Lars-Peter Clausen Signed-off-by: Xi Wang Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index ebdcecda3583..5e78c77d5a08 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } insns = - kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL); + kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL); if (!insns) { DPRINTK("kmalloc failed\n"); ret = -ENOMEM;