xen-gntalloc: integer overflow in gntalloc_ioctl_alloc() - wireguard-linux

diff options

author	Dan Carpenter <dan.carpenter@oracle.com>	2011-11-04 21:24:08 +0300
committer	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>	2011-11-16 12:13:47 -0500
commit	21643e69a4c06f7ef155fbc70e3fba13fba4a756 (patch)
tree	8ab4fce440977edd5508abed992022674dec9d77 /lib/debugobjects.c
parent	xen-gntdev: integer overflow in gntdev_alloc_map() (diff)
download	wireguard-linux-21643e69a4c06f7ef155fbc70e3fba13fba4a756.tar.xz wireguard-linux-21643e69a4c06f7ef155fbc70e3fba13fba4a756.zip

xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()

On 32 bit systems a high value of op.count could lead to an integer overflow in the kzalloc() and gref_ids would be smaller than expected. If the you triggered another integer overflow in "if (gref_size + op.count > limit)" then you'd probably get memory corruption inside add_grefs(). CC: stable@kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Diffstat (limited to 'lib/debugobjects.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: