Bug in 2.4.0-test9 and test10 with sys_shmat()

From: Richard Jerrell (jerrell@missioncriticallinux.com)
Date: Thu Nov 16 2000 - 11:57:15 EST

Next message: Linus Torvalds: "Re: Memory management bug"
Previous message: schwidefsky@de.ibm.com: "Re: Memory management bug"
Next in thread: aprasad@in.ibm.com: "Re: Bug in 2.4.0-test9 and test10 with sys_shmat()"
Maybe reply: aprasad@in.ibm.com: "Re: Bug in 2.4.0-test9 and test10 with sys_shmat()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sending -1 as the shmid to shmat will cause an oops. 2.2.16 caught this
with simple boundry checking, so replace the lines

if (!shm_sb || (shmid % SEQ_MULTIPLIER) == zero_id)
return -EINVAL;

with

if (!shm_sb || shmid < 0 || (shmid % SEQ_MULTIPLIER) == zero_id)
return -EINVAL;

Simple program to demonstrate the bug...

#include <sys/ipc.h>
#include <sys/shm.h>

int main(void) {
shmat(-1,0,0);
return 0;
}

Rich
jerrell@missioncriticallinux.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: Memory management bug"
Previous message: schwidefsky@de.ibm.com: "Re: Memory management bug"
Next in thread: aprasad@in.ibm.com: "Re: Bug in 2.4.0-test9 and test10 with sys_shmat()"
Maybe reply: aprasad@in.ibm.com: "Re: Bug in 2.4.0-test9 and test10 with sys_shmat()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:10 EST