diff options
author | Larry Woodman <lwoodman@redhat.com> | 2010-09-24 12:04:48 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-09-25 12:34:58 -0400 |
commit | 5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06 (patch) | |
tree | 231fa9a989433ee7fab796342f7ebc2c3e167342 /mm/fremap.c | |
parent | 8ae09259ffe2402e956efd5a36220b6161e9ecb3 (diff) |
Avoid pgoff overflow in remap_file_pages
Thomas Pollet noticed that the remap_file_pages() system call in
fremap.c has a potential overflow in the first part of the if statement
below, which could cause it to process bogus input parameters.
Specifically the pgoff + size parameters could be wrap thereby
preventing the system call from failing when it should.
Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Larry Woodman <lwoodman@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/fremap.c')
-rw-r--r-- | mm/fremap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/mm/fremap.c b/mm/fremap.c index 7b7f852848de..ec520c7b28df 100644 --- a/mm/fremap.c +++ b/mm/fremap.c | |||
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, | |||
141 | if (start + size <= start) | 141 | if (start + size <= start) |
142 | return err; | 142 | return err; |
143 | 143 | ||
144 | /* Does pgoff wrap? */ | ||
145 | if (pgoff + (size >> PAGE_SHIFT) < pgoff) | ||
146 | return err; | ||
147 | |||
144 | /* Can we represent this offset inside this architecture's pte's? */ | 148 | /* Can we represent this offset inside this architecture's pte's? */ |
145 | #if PTE_FILE_MAX_BITS < BITS_PER_LONG | 149 | #if PTE_FILE_MAX_BITS < BITS_PER_LONG |
146 | if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS)) | 150 | if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS)) |