[PATCH v2] staging: vc04_services: rework ioctl code path

Dan Carpenter dan.carpenter at oracle.com
Mon Nov 14 01:48:57 PST 2016


On Thu, Nov 10, 2016 at 10:15:31PM -0800, Michael Zoran wrote:
> +static void *
> +vchiq_ioctl_kmalloc(struct vchiq_ioctl_call_context *ctxt, size_t size)
> +{
> +	void *mem;
> +
> +	if (!ctxt->stackmem_used && size < sizeof(ctxt->stackmem)) {
> +		ctxt->stackmem_used = true;
> +		return ctxt->stackmem;
> +	}
> +
> +	mem = kmalloc(size + sizeof(void *), GFP_KERNEL);

This is a potential integer overflow leading to corruption.  I don't
understand why we need this complicated memory management anyway...

> +	if (!mem)
> +		return NULL;
> +
> +	*(void **)mem = ctxt->prev_kmalloc;
> +	ctxt->prev_kmalloc = mem;
> +
> +	return mem + sizeof(void *);
> +}

regards,
dan carpenter



More information about the linux-rpi-kernel mailing list