[PATCH 1/4] ipc/shm.c: check for ulong overflows in shmat

From: Manfred Spraul
Date: Sat Apr 19 2014 - 07:45:34 EST

Next message: Arnd Bergmann: "Re: [PATCH v4 00/21] ARM: support for ICP DAS LP-8x4x (with dts)"
Previous message: Manfred Spraul: "[PATCH 3/4] ipc/shm.c: check for integer overflow during shmget."
In reply to: Manfred Spraul: "[PATCH 0/4] ipc/shm.c: increase the limits for SHMMAX, SHMALL"
Next in thread: Manfred Spraul: "[PATCH 2/4] ipc/shm.c: check for overflows of shm_tot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

find_vma_intersection does not work properly if addr+size overflows.
The patch adds a manual check before the call to find_vma_intersection.

Signed-off-by: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
---
ipc/shm.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/ipc/shm.c b/ipc/shm.c
index 7645961..382e2fb 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1160,6 +1160,9 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
down_write(&current->mm->mmap_sem);
if (addr && !(shmflg & SHM_REMAP)) {
err = -EINVAL;
+ if (addr + size < addr)
+ goto invalid;
+
if (find_vma_intersection(current->mm, addr, addr + size))
goto invalid;
/*
--
1.9.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arnd Bergmann: "Re: [PATCH v4 00/21] ARM: support for ICP DAS LP-8x4x (with dts)"
Previous message: Manfred Spraul: "[PATCH 3/4] ipc/shm.c: check for integer overflow during shmget."
In reply to: Manfred Spraul: "[PATCH 0/4] ipc/shm.c: increase the limits for SHMMAX, SHMALL"
Next in thread: Manfred Spraul: "[PATCH 2/4] ipc/shm.c: check for overflows of shm_tot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]