In the Linux kernel, the following vulnerability has been resolved: comedi: aioiiro16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, it->options[i]
is an unchecked int
value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring it->options[1]
to be within bounds before proceeding with the original test. Valid it->options[1]
values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts.