staging: vt6656: integer overflows in private_ioctl()

There are two potential integer overflows in private_ioctl() if userspace passes in a large sList.uItem / sNodeList.uItem. The subsequent call to kmalloc() would allocate a small buffer, leading to a memory corruption. Reported-by: N Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: N Xi Wang <xi.wang@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@suse.de>

staging: vt6656: integer overflows in private_ioctl()
There are two potential integer overflows in private_ioctl() if userspace passes in a large sList.uItem / sNodeList.uItem. The subsequent call to kmalloc() would allocate a small buffer, leading to a memory corruption. Reported-by: N Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: N Xi Wang <xi.wang@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@suse.de>
20132043 · Xi Wang · Greg Kroah-Hartman · 2a58b19f · 20132043
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

drivers/staging/vt6656/ioctl.c drivers/staging/vt6656/ioctl.c +8 -0

未找到文件。
--- a/drivers/staging/vt6656/ioctl.c
+++ b/drivers/staging/vt6656/ioctl.c
@@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 			result = -EFAULT;
 			break;
 		}
+		if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
+			result = -EINVAL;
+			break;
+		}
 		pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
 		if (pList == NULL) {
 			result = -ENOMEM;
@@ -557,6 +561,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 			result = -EFAULT;
 			break;
 		}
+		if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) {
+			result = -ENOMEM;
+			break;
+		}
 		pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC);
 		if (pNodeList == NULL) {
 			result = -ENOMEM;