Re: [PATCH v3] comedi: integer overflow in do_insnlist_ioctl()
From: Greg KH
Date: Sun Nov 27 2011 - 16:25:50 EST
On Sun, Nov 27, 2011 at 02:25:39PM +0300, Dan Carpenter wrote:
> On Sat, Nov 26, 2011 at 06:52:52PM -0800, Greg KH wrote:
> > On Fri, Nov 25, 2011 at 04:46:51PM -0500, Xi Wang wrote:
> > > There is a potential integer overflow in do_insnlist_ioctl() if
> > > userspace passes in a large insnlist.n_insns. The call to kmalloc()
> > > would allocate a small buffer, leading to a memory corruption.
> > >
> > > The bug was reported by Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > > and Haogang Chen <haogangchen@xxxxxxxxx>. The patch was suggested by
> > > Ian Abbott <abbotti@xxxxxxxxx> and Lars-Peter Clausen <lars@xxxxxxxxxx>.
> > >
> > > Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
> >
> > Hm, I already applied Dan's previous patch, what should I do with this
> > one now? Revert Dan's and apply this one, or apply both of them, or
> > something else?
>
> Sorry for that, I should have replied to my patch when I learned that
> it had a problem.
>
> Please, revert mine and apply Xi Wang's.
Ok, now done.
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/