char: Int overflow in lp_do_ioctl(). · tjh.dev/kernel@1c2de82

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

char: Int overflow in lp_do_ioctl().

arg comes from user-space, so int overflow may occur:
LP_TIME(minor) = arg * HZ/100;

Reported-by: Yongjian Xu <xuyongjiande@gmail.com>
Suggested-by: Qixue Xiao <s2exqx@gmail.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Yongjian Xu and committed by

Greg Kroah-Hartman 12 years ago 1c2de820 138a6d7e

1 changed file

expand all

drivers

char

lp.c

drivers/char/lp.c

··· 587 587 return -ENODEV; 588 588 switch ( cmd ) { 589 589 case LPTIME: 590 + if (arg > UINT_MAX / HZ) 591 + return -EINVAL; 590 592 LP_TIME(minor) = arg * HZ/100; 591 593 break; 592 594 case LPCHAR: