[PATCH] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()

2013-12-27 Thread Wenliang Fan
The local variable 'pos' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: pos += n; Signed-off-by: Wenliang Fan --- fs/nilfs2/ioctl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/nilfs2/ioctl.c b/fs/nilf

[PATCH] drivers/staging/bcm: Integer overflow

2013-12-20 Thread Wenliang Fan
The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan --- drivers/s

[PATCH] drivers/staging/bcm: Integer overflow

2013-12-20 Thread Wenliang Fan
The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan --- drivers/s

[PATCH] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()

2013-12-19 Thread Wenliang Fan
The local variable 'pos' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: pos += n; Signed-off-by: Wenliang Fan --- fs/nilfs2/ioctl.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/nilf

[PATCH] fs/btrfs: Integer overflow in btrfs_ioctl_resize()

2013-12-19 Thread Wenliang Fan
The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan --- fs/btrfs/ioctl.c | 4 1 file changed, 4 insertions(+) diff --git

[PATCH] drivers/staging/bcm: Integer overflow

2013-12-19 Thread Wenliang Fan
The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan --- drivers/s

[PATCH] drivers/net/wireless/hostap: Integer overflow

2013-12-17 Thread Wenliang Fan
local->passive_scan_interval * HZ Signed-off-by: Wenliang Fan --- drivers/net/wireless/hostap/hostap_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c index e509

[PATCH] drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()

2013-12-16 Thread Wenliang Fan
The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan