Skip to content

Commit

Permalink
xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()
Browse files Browse the repository at this point in the history 
commit 21643e6 upstream.

On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  • Loading branch information
Dan Carpenter authored and Greg Kroah-Hartman committed Nov 21, 2011
1 parent 14fa9e2 commit 1b4f3a2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/xen/gntalloc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
goto out;
}

gref_ids = kzalloc(sizeof(gref_ids[0]) * op.count, GFP_TEMPORARY);
gref_ids = kcalloc(op.count, sizeof(gref_ids[0]), GFP_TEMPORARY);
if (!gref_ids) {
rc = -ENOMEM;
goto out;
Expand Down

0 comments on commit 1b4f3a2

Please sign in to comment.