The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
pos += n;
Signed-off-by: Wenliang Fan
---
fs/nilfs2/ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
pos += n;
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
fs/nilfs2/ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/ioctl.c b
The checking condition in 'validateFlash2xReadWrite()' is not
sufficient. A large number invalid would cause an integer overflow and
pass the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan
---
drivers/staging/bcm/nvm.c | 9
The checking condition in 'validateFlash2xReadWrite()' is not
sufficient. A large number invalid would cause an integer overflow and
pass the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan
---
drivers/staging/bcm/nvm.c | 5
The checking condition in 'validateFlash2xReadWrite()' is not
sufficient. A large number invalid would cause an integer overflow and
pass the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
drivers
The checking condition in 'validateFlash2xReadWrite()' is not
sufficient. A large number invalid would cause an integer overflow and
pass the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
drivers
The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
pos += n;
Signed-off-by: Wenliang Fan
---
fs/nilfs2/ioctl.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/nilfs2/ioctl.c
The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
new_size = old_size + new_size;
Signed-off-by: Wenliang Fan
---
fs/btrfs/ioctl.c | 4
1 file changed, 4 insertions(+)
diff --git a/fs/btrfs
The checking condition in 'validateFlash2xReadWrite()' is not sufficient.
A large number invalid would cause an integer overflow and pass
the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan
---
drivers/staging/bcm/nvm.c | 4
The checking condition in 'validateFlash2xReadWrite()' is not sufficient.
A large number invalid would cause an integer overflow and pass
the condition, which could cause further integer overflows in
'Bcmchar.c:bcm_char_ioctl()'.
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
drivers
The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
new_size = old_size + new_size;
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
fs/btrfs/ioctl.c | 4
1 file changed, 4 insertions(+)
diff
The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
pos += n;
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
fs/nilfs2/ioctl.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git
terval * HZ
Signed-off-by: Wenliang Fan
---
drivers/net/wireless/hostap/hostap_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c
b/drivers/net/wireless/hostap/hostap_ioctl.c
index e509030..63e350a 100644
--- a/drivers/net/wi
* HZ
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
drivers/net/wireless/hostap/hostap_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c
b/drivers/net/wireless/hostap/hostap_ioctl.c
index e509030..63e350a 100644
The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
Signed-off-by: Wenliang Fan
---
drivers/net/ha
The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
s-hdlctx.calibrate = bi.data.calibrate * s-par.bitrate / 16;
Signed-off-by: Wenliang Fan fanwle...@gmail.com
---
drivers/net
16 matches
Mail list logo