diff options
| author | Manfred Spraul <manfred@colorfullife.com> | 2014-06-06 17:37:40 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-06 19:08:14 -0400 |
| commit | 09c6eb1f651dad601f02435bbd79734954960c42 (patch) | |
| tree | 8777788a3a4f7ebdc2805cd84d276584ecee3491 /ipc | |
| parent | 247a8ce8229b16d4ffa9f5125fb6583aa749679d (diff) | |
ipc/shm.c: check for overflows of shm_tot
shm_tot counts the total number of pages used by shm segments.
If SHMALL is ULONG_MAX (or nearly ULONG_MAX), then the number can
overflow. Subsequent calls to shmctl(,SHM_INFO,) would return wrong
values for shm_tot.
The patch adds a detection for overflows.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/shm.c | 3 |
1 files changed, 2 insertions, 1 deletions
| @@ -493,7 +493,8 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) | |||
| 493 | if (size < SHMMIN || size > ns->shm_ctlmax) | 493 | if (size < SHMMIN || size > ns->shm_ctlmax) |
| 494 | return -EINVAL; | 494 | return -EINVAL; |
| 495 | 495 | ||
| 496 | if (ns->shm_tot + numpages > ns->shm_ctlall) | 496 | if (ns->shm_tot + numpages < ns->shm_tot || |
| 497 | ns->shm_tot + numpages > ns->shm_ctlall) | ||
| 497 | return -ENOSPC; | 498 | return -ENOSPC; |
| 498 | 499 | ||
| 499 | shp = ipc_rcu_alloc(sizeof(*shp)); | 500 | shp = ipc_rcu_alloc(sizeof(*shp)); |