diff options
author | Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com> | 2012-05-29 18:06:22 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-05-29 19:22:19 -0400 |
commit | 7edc8b0ac16cbaed7cb4ea4c6b95ce98d2997e84 (patch) | |
tree | e333f72f3dc2c91385b8392bc31a44f5423d7f5c /kernel/fork.c | |
parent | 841e31e5cc6219d62054788faa289b6ed682d068 (diff) |
mm/fork: fix overflow in vma length when copying mmap on clone
The vma length in dup_mmap is calculated and stored in a unsigned int,
which is insufficient and hence overflows for very large maps (beyond
16TB). The following program demonstrates this:
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#define GIG 1024 * 1024 * 1024L
#define EXTENT 16393
int main(void)
{
int i, r;
void *m;
char buf[1024];
for (i = 0; i < EXTENT; i++) {
m = mmap(NULL, (size_t) 1 * 1024 * 1024 * 1024L,
PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
if (m == (void *)-1)
printf("MMAP Failed: %d\n", m);
else
printf("%d : MMAP returned %p\n", i, m);
r = fork();
if (r == 0) {
printf("%d: successed\n", i);
return 0;
} else if (r < 0)
printf("FORK Failed: %d\n", r);
else if (r > 0)
wait(NULL);
}
return 0;
}
Increase the storage size of the result to unsigned long, which is
sufficient for storing the difference between addresses.
Signed-off-by: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel/fork.c')
-rw-r--r-- | kernel/fork.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/fork.c b/kernel/fork.c index 5b13eea2e757..017fb23d5983 100644 --- a/kernel/fork.c +++ b/kernel/fork.c | |||
@@ -386,7 +386,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) | |||
386 | } | 386 | } |
387 | charge = 0; | 387 | charge = 0; |
388 | if (mpnt->vm_flags & VM_ACCOUNT) { | 388 | if (mpnt->vm_flags & VM_ACCOUNT) { |
389 | unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; | 389 | unsigned long len; |
390 | len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; | ||
390 | if (security_vm_enough_memory_mm(oldmm, len)) /* sic */ | 391 | if (security_vm_enough_memory_mm(oldmm, len)) /* sic */ |
391 | goto fail_nomem; | 392 | goto fail_nomem; |
392 | charge = len; | 393 | charge = len; |