From 5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06 Mon Sep 17 00:00:00 2001 From: Larry Woodman Date: Fri, 24 Sep 2010 12:04:48 -0400 Subject: Avoid pgoff overflow in remap_file_pages Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: Thomas Pollet Signed-off-by: Larry Woodman Signed-off-by: Linus Torvalds --- mm/fremap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mm/fremap.c b/mm/fremap.c index 7b7f852848de..ec520c7b28df 100644 --- a/mm/fremap.c +++ b/mm/fremap.c @@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, if (start + size <= start) return err; + /* Does pgoff wrap? */ + if (pgoff + (size >> PAGE_SHIFT) < pgoff) + return err; + /* Can we represent this offset inside this architecture's pte's? */ #if PTE_FILE_MAX_BITS < BITS_PER_LONG if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS)) -- cgit v1.2.1