commit 5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Avoid pgoff overflow in remap_file_pages

Thomas Pollet noticed that the remap_file_pages() system call in
fremap.c has a potential overflow in the first part of the if statement
below, which could cause it to process bogus input parameters.
Specifically the pgoff + size parameters could be wrap thereby
preventing the system call from failing when it should.

Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Larry Woodman <lwoodman@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Larry Woodman and committed by Linus Torvalds 15 years ago 5ec1055a 8ae09259

1 changed file

expand all

unified split

fremap.c

mm/fremap.c

··· 141 141 if (start + size <= start) 142 142 return err; 143 143 144 + /* Does pgoff wrap? */ 145 + if (pgoff + (size >> PAGE_SHIFT) < pgoff) 146 + return err; 147 + 144 148 /* Can we represent this offset inside this architecture's pte's? */ 145 149 #if PTE_FILE_MAX_BITS < BITS_PER_LONG 146 150 if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))