In the Linux kernel, the following vulnerability has been resolved:
comedi: Fail COMEDIINSNLIST ioctl if ninsns is too large
The handling of the COMEDI_INSNLIST
ioctl allocates a kernel buffer to
hold the array of struct comedi_insn
, getting the length from the
n_insns
member of the struct comedi_insnlist
supplied by the user.
The allocation will fail with a WARNING and a stack dump if it is too
large.
Avoid that by failing with an -EINVAL
error if the supplied n_insns
value is unreasonable.
Define the limit on the n_insns
value in the MAX_INSNS
macro. Set
this to the same value as MAX_SAMPLES
(65536), which is the maximum
allowed sum of the values of the member n
in the array of struct
comedi_insn
, and sensible comedi instructions will have an n
of at
least 1.