Avoid pgoff overflow in remap_file_pages

Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: N Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: N Larry Woodman <lwoodman@redhat.com> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

Avoid pgoff overflow in remap_file_pages
Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: N Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: N Larry Woodman <lwoodman@redhat.com> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
5ec1055a · Larry Woodman · Linus Torvalds · 8ae09259 · 5ec1055a
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

mm/fremap.c mm/fremap.c +4 -0

未找到文件。
--- a/mm/fremap.c
+++ b/mm/fremap.c
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
 	if (start + size <= start)
 		return err;

+	/* Does pgoff wrap? */
+	if (pgoff + (size >> PAGE_SHIFT) < pgoff)
+		return err;
+
 	/* Can we represent this offset inside this architecture's pte's? */
 #if PTE_FILE_MAX_BITS < BITS_PER_LONG
 	if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))