Commit 21643e69 authored by Dan Carpenter's avatar Dan Carpenter Committed by Konrad Rzeszutek Wilk

xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()

On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

Signed-off-by: default avatarDan Carpenter <>
Signed-off-by: default avatarKonrad Rzeszutek Wilk <>
parent fc6e0c3b
......@@ -280,7 +280,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv,
goto out;
gref_ids = kzalloc(sizeof(gref_ids[0]) * op.count, GFP_TEMPORARY);
gref_ids = kcalloc(op.count, sizeof(gref_ids[0]), GFP_TEMPORARY);
if (!gref_ids) {
rc = -ENOMEM;
goto out;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment