aboutsummaryrefslogtreecommitdiffstats
path: root/mm/fremap.c
diff options
context:
space:
mode:
authorLarry Woodman <lwoodman@redhat.com>2010-09-24 12:04:48 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-09-25 12:34:58 -0400
commit5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06 (patch)
tree231fa9a989433ee7fab796342f7ebc2c3e167342 /mm/fremap.c
parent8ae09259ffe2402e956efd5a36220b6161e9ecb3 (diff)
Avoid pgoff overflow in remap_file_pages
Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: Larry Woodman <lwoodman@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/fremap.c')
-rw-r--r--mm/fremap.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/mm/fremap.c b/mm/fremap.c
index 7b7f852848de..ec520c7b28df 100644
--- a/mm/fremap.c
+++ b/mm/fremap.c
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
141 if (start + size <= start) 141 if (start + size <= start)
142 return err; 142 return err;
143 143
144 /* Does pgoff wrap? */
145 if (pgoff + (size >> PAGE_SHIFT) < pgoff)
146 return err;
147
144 /* Can we represent this offset inside this architecture's pte's? */ 148 /* Can we represent this offset inside this architecture's pte's? */
145#if PTE_FILE_MAX_BITS < BITS_PER_LONG 149#if PTE_FILE_MAX_BITS < BITS_PER_LONG
146 if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS)) 150 if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))