[PATCH/2.6.5] fix for potential integer overflow in zoran driver(was: [CHECKER] 21 probable missing bounds checks)
From: Ronald S. Bultje
Date: Wed Apr 07 2004 - 19:48:44 EST
Hi Andrew,
Attached patch fixes a potential integer overflow in zoran_procs.c (part
of the zr36067 driver). Bug was detected by Ken Ashcraft (see below),
you've probably received more of those.
Thanks to Ken for detecting.
Ronald
On Tue, 2004-04-06 at 02:45, Ken Ashcraft wrote:
> ---------------------------------------------------------
> [BUG] vmalloc(count + 1) can overflow
> /home/kash/interface/linux-2.6.3/drivers/acpi/battery.c:591:acpi_battery_write_alarm:
> NOTE:BOUND: Checking arg count [EXAMPLE=proc_dir_entry.write_proc-2]
> /home/kash/interface/linux-2.6.3/drivers/media/video/zoran_procfs.c:217:zoran_write_proc:
> ERROR:BOUND: Not checking arg count [COUNTER=proc_dir_entry.write_proc-2]
> [fit=2] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=13] [counter=1] [z =
> -0.367883603690978] [fn-z = -4.35889894354067]
> KERN_ERR
> "%s: write_proc: can not allocate memory\n",
> ZR_DEVNAME(zr));
> return -ENOMEM;
> }
>
> Error --->
> if (copy_from_user(string, buffer, count)) {
> vfree (string);
> return -EFAULT;
> }
> ---------------------------------------------------------
--- linux-2.6.5/drivers/media/video/zoran_procfs.c-old 2004-04-07 20:41:59.000000000 +0200
+++ linux-2.6.5/drivers/media/video/zoran_procfs.c 2004-04-07 20:42:08.000000000 +0200
@@ -204,6 +204,10 @@
char *line, *ldelim, *varname, *svar, *tdelim;
struct zoran *zr;
+ /* Random maximum */
+ if (count > 256)
+ return -EINVAL;
+
zr = (struct zoran *) data;
string = sp = vmalloc(count + 1);