In the Linux kernel, the following vulnerability has been resolved:
comedi: das6402: Fix bit shift out of bounds
When checking for a supported IRQ number, the following test is used:
/* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */
if ((1 << it->options[1]) & 0x8cec) {
However, it->options[i]
is an unchecked int
value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring it->options[1]
to be within bounds before proceeding with
the original test. Valid it->options[1]
values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.