oss-sec mailing list archives

CVE request - kernel: char: Int overflow in lp_do_ioctl()

From: Yongjian Xu <xuyongjiande () gmail com>
Date: Tue, 31 Dec 2013 14:33:57 +0800

Hi,

https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=1c2de820d66d704c7d6fffdd872b7670eb4e29bb

This is an integer overflow, and can be controlled via ioctl.

arg comes from user-space, so int overflow may occur in this:
LP_TIME(minor) = arg * HZ/100;

Current thread:

CVE request - kernel: char: Int overflow in lp_do_ioctl() Yongjian Xu (Dec 30)
- Re: CVE request - kernel: char: Int overflow in lp_do_ioctl() Greg KH (Dec 30)