integer overflows in kernel/relay.c

From: Dan Carpenter
Date: Tue Feb 07 2012 - 09:12:22 EST

Next message: Vinod Koul: "RE: [PATCH 01/11] dmaengine: add context parametertoprep_slave_sgand prep_dma_cyclic"
Previous message: Stephane Eranian: "Re: [PATCH v5 11/18] perf: add code to support PERF_SAMPLE_BRANCH_STACK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My static checker is warning about integer overflows in kernel/relay.c

relay_create_buf()
170
171 buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This can only overflow on 32bit systems.

172 if (!buf->padding)
173 goto free_buf;
174

relay_open()
582 chan->version = RELAYFS_CHANNEL_VERSION;
583 chan->n_subbufs = n_subbufs;
584 chan->subbuf_size = subbuf_size;
585 chan->alloc_size = FIX_SIZE(subbuf_size * n_subbufs);
^^^^^^^^^^^^^^^^^^^^^^^
586 chan->parent = parent;

These come from the user in blk_trace_setup() and they aren't capped.
I'm not sure what the maximum size to use is.

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vinod Koul: "RE: [PATCH 01/11] dmaengine: add context parametertoprep_slave_sgand prep_dma_cyclic"
Previous message: Stephane Eranian: "Re: [PATCH v5 11/18] perf: add code to support PERF_SAMPLE_BRANCH_STACK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]