Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Ian Abbott]

On 2011-11-23 14:50, Dan Carpenter wrote:
> On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
> > Thanks for the pointer.  However you cannot do the overflow check using
> >
> >    if (sizeof(struct comedi_insn) * insnlist.n_insns <  insnlist.n_insns)
> >
> > Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
> > insnlist.n_insns = 0x7fffffff.
> >
> > Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
>
> Argh...  You're right, my check is wrong.  What I like about my patch
> though is that it doesn't introduce an arbitrary limit.  Could you
> redo your check without the MAX_INSNS?

Could use something like:

	if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
		insns =
			kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
				GFP_KERNEL);
	if (!insns)
		...

(note that insns is initialized to NULL).

--
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti@xxxxxxxxx>        )=-
-=( Tel: +44 (0)161 477 1898   FAX: +44 (0)161 718 3587         )=-
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/