dfd8ee92a9
There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns. The call to kmalloc() would allocate a small buffer, leading to a memory corruption. The bug was reported by Dan Carpenter <dan.carpenter@oracle.com> and Haogang Chen <haogangchen@gmail.com>. The patch was suggested by Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reported-by: Haogang Chen <haogangchen@gmail.com>. Cc: Ian Abbott <abbotti@mev.co.uk> Cc: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
||
---|---|---|
.. | ||
drivers | ||
kcomedilib | ||
comedi.h | ||
comedi_compat32.c | ||
comedi_compat32.h | ||
comedi_fops.c | ||
comedi_fops.h | ||
comedidev.h | ||
comedilib.h | ||
drivers.c | ||
internal.h | ||
Kconfig | ||
Makefile | ||
proc.c | ||
range.c | ||
TODO |