Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
The handling of the COMEDI_INSNLIST ioctl allocates a kernel buffer to
hold the array of struct comedi_insn, getting the length from the
n_insns member of the struct comedi_insnlist supplied by the user.
The allocation will fail with a WARNING and a stack dump if it is too
large.
Avoid that by failing with an -EINVAL error if the supplied n_insns
value is unreasonable.
Define the limit on the n_insns value in the MAX_INSNS macro. Set
this to the same value as MAX_SAMPLES (65536), which is the maximum
allowed sum of the values of the member n in the array of struct comedi_insn, and sensible comedi instructions will have an n of at
least 1.
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- linux-hwe @ 4.15.0 (+15 more)
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
The handling of the COMEDI_INSNLIST ioctl allocates a kernel buffer to
hold the array of struct comedi_insn, getting the length from the
n_insns member of the struct comedi_insnlist supplied by the user.
The allocation will fail with a WARNING and a stack dump if it is too
large.
Avoid that by failing with an -EINVAL error if the supplied n_insns
value is unreasonable.
Define the limit on the n_insns value in the MAX_INSNS macro. Set
this to the same value as MAX_SAMPLES (65536), which is the maximum
allowed sum of the values of the member n in the array of struct comedi_insn, and sensible comedi instructions will have an n of at
least 1.