On Fri, 02/13 19:06, Dan Rosenberg wrote: > > > + if (ncmds <= 0 || !cmds) > > + return -EINVAL; > > + cmd_size = sizeof(struct epoll_ctl_cmd) * ncmds; > > + kcmds = kmalloc(cmd_size, GFP_KERNEL); > You should probably fix the integer overflow in the calculation of the > cmd_size variable, unless you like root vulnerabilities. >
Thanks! In the case of multiply overflow, we allocate a buffer that is smaller than we think, and consequent writings will corrupt kernel memory after it. That is the root vulnerabilities here. Will fix! Fam -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
