]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commit
xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 4 Nov 2011 18:24:08 +0000 (21:24 +0300)
committerKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Wed, 16 Nov 2011 17:13:47 +0000 (12:13 -0500)
commit21643e69a4c06f7ef155fbc70e3fba13fba4a756
tree8ab4fce440977edd5508abed992022674dec9d77
parentfc6e0c3b909157748ce1c0c0f2a9935a5ee3c812
xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()

On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
drivers/xen/gntalloc.c