[PATCH 1/1] ipc: sem: fix used_sems overflow in newary()

Next message: Uwe Kleine-K&#xF6;nig (The Capable Hub): "[PATCH v2 2/2] ALSA: firewire: Make use of ieee1394's .driver_data_ptr"
Previous message: Breno Leitao: "[PATCH net-next 1/7] Bluetooth: hci_sock: write the full optval for getsockopt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ren Wei

Date: Mon May 11 2026 - 06:46:45 EST

From: Ruide Cao <caoruide123@xxxxxxxxx>

newary() checks namespace-wide semaphore usage before creating a new
array, but the current accounting uses a plain signed addition.

If the accumulated semaphore count overflows, the limit check can fail
open and allow allocations past sc_semmns, breaking namespace semaphore
resource enforcement and potentially leading to resource exhaustion.

Fix this by using check_add_overflow() before comparing the new total
against sc_semmns, and reject overflow the same way as a true limit
exceed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxx
Reported-by: Yuan Tan <yuantan098@xxxxxxxxx>
Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
Reported-by: Xin Liu <bird@xxxxxxxxxx>
Signed-off-by: Ruide Cao <caoruide123@xxxxxxxxx>
Tested-by: Ren Wei <enjou1224z@xxxxxxxxx>
Signed-off-by: Ren Wei <n05ec@xxxxxxxxxx>
---
ipc/sem.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipc/sem.c b/ipc/sem.c
index 6cdf862b1f5c..00c45de33c46 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -535,11 +535,13 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
key_t key = params->key;
int nsems = params->u.nsems;
int semflg = params->flg;
+ int total_sems;
int i;

if (!nsems)
return -EINVAL;
- if (ns->used_sems + nsems > ns->sc_semmns)
+ if (check_add_overflow(ns->used_sems, nsems, &total_sems) ||
+ total_sems > ns->sc_semmns)
return -ENOSPC;

sma = sem_alloc(nsems);
--
2.34.1