path: root/mm/fremap.c
diff options
authorLarry Woodman <lwoodman@redhat.com>2010-09-24 16:04:48 (GMT)
committerLinus Torvalds <torvalds@linux-foundation.org>2010-09-25 16:34:58 (GMT)
commit5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06 (patch)
tree231fa9a989433ee7fab796342f7ebc2c3e167342 /mm/fremap.c
parent8ae09259ffe2402e956efd5a36220b6161e9ecb3 (diff)
Avoid pgoff overflow in remap_file_pages
Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: Larry Woodman <lwoodman@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/fremap.c')
1 files changed, 4 insertions, 0 deletions
diff --git a/mm/fremap.c b/mm/fremap.c
index 7b7f852..ec520c7 100644
--- a/mm/fremap.c
+++ b/mm/fremap.c
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
if (start + size <= start)
return err;
+ /* Does pgoff wrap? */
+ if (pgoff + (size >> PAGE_SHIFT) < pgoff)
+ return err;
/* Can we represent this offset inside this architecture's pte's? */
if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))

Privacy Policy