From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965174AbeALUec (ORCPT + 1 other); Fri, 12 Jan 2018 15:34:32 -0500 Received: from mail-wm0-f47.google.com ([74.125.82.47]:45029 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964851AbeALUeb (ORCPT ); Fri, 12 Jan 2018 15:34:31 -0500 X-Google-Smtp-Source: ACJfBoulSXuoOkSSthumdX5SfmSpRJiQHTzecCwl9JGvRDd6Mwpzb62sUFDGAotek2ctjLwW6TlgZQ== Date: Fri, 12 Jan 2018 23:34:27 +0300 From: Alexey Dobriyan To: akpm@linux-foundation.org Cc: linux-kernel@vger.kernel.org Subject: [PATCH] elf: fix NT_FILE integer overflow Message-ID: <20180112203427.GA9109@avx2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.7.2 (2016-11-26) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: If vm.max_map_count bumped above 2^26 (67+ mil) and system has enough RAM to allocate all the VMAs (~12.8 GB on Fedora 27 with 200-byte VMAs), then it should be possible to overflow 32-bit "size", pass paranoia check, allocate very little vmalloc space and oops while writing into vmalloc guard page... But I didn't test this, only coredump of regular process. Signed-off-by: Alexey Dobriyan --- fs/binfmt_elf.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1599,6 +1599,8 @@ static int fill_files_note(struct memelfnote *note) /* *Estimated* file count and total data size needed */ count = current->mm->map_count; + if (count > UINT_MAX / 64) + return -EINVAL; size = count * 64; names_ofs = (2 + 3 * count) * sizeof(data[0]);