From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752093AbaDUOby (ORCPT ); Mon, 21 Apr 2014 10:31:54 -0400 Received: from mail-ee0-f49.google.com ([74.125.83.49]:63634 "EHLO mail-ee0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751639AbaDUObr (ORCPT ); Mon, 21 Apr 2014 10:31:47 -0400 From: Manfred Spraul To: Davidlohr Bueso , Michael Kerrisk , Martin Schwidefsky Cc: LKML , Andrew Morton , KAMEZAWA Hiroyuki , KOSAKI Motohiro , gthelen@google.com, aswin@hp.com, linux-mm@kvack.org, Manfred Spraul Subject: [PATCH 3/4] ipc/shm.c: check for integer overflow during shmget. Date: Mon, 21 Apr 2014 16:26:36 +0200 Message-Id: <1398090397-2397-4-git-send-email-manfred@colorfullife.com> X-Mailer: git-send-email 1.9.0 In-Reply-To: <1398090397-2397-3-git-send-email-manfred@colorfullife.com> References: <1398090397-2397-1-git-send-email-manfred@colorfullife.com> <1398090397-2397-2-git-send-email-manfred@colorfullife.com> <1398090397-2397-3-git-send-email-manfred@colorfullife.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org SHMMAX is the upper limit for the size of a shared memory segment, counted in bytes. The actual allocation is that size, rounded up to the next full page. Add a check that prevents the creation of segments where the rounded up size causes an integer overflow. Signed-off-by: Manfred Spraul --- ipc/shm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipc/shm.c b/ipc/shm.c index 2dfa3d6..f000696 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) if (size < SHMMIN || size > ns->shm_ctlmax) return -EINVAL; + if (numpages << PAGE_SHIFT < size) + return -ENOSPC; + if (ns->shm_tot + numpages < ns->shm_tot || ns->shm_tot + numpages > ns->shm_ctlall) return -ENOSPC; -- 1.9.0