Skip to content

Commit

Permalink
xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()
Browse files Browse the repository at this point in the history 
On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
  • Loading branch information
Dan Carpenter authored and Konrad Rzeszutek Wilk committed Nov 16, 2011
1 parent fc6e0c3 commit 21643e6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/xen/gntalloc.c
View file
Original file line number Diff line number Diff line change
@@ -280,7 +280,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
goto out;
}

gref_ids = kzalloc(sizeof(gref_ids[0]) * op.count, GFP_TEMPORARY);
gref_ids = kcalloc(op.count, sizeof(gref_ids[0]), GFP_TEMPORARY);
if (!gref_ids) {
rc = -ENOMEM;
goto out;

0 comments on commit 21643e6

Please sign in to comment.