Sending -1 as the shmid to shmat will cause an oops. 2.2.16 caught this
with simple boundry checking, so replace the lines
if (!shm_sb || (shmid % SEQ_MULTIPLIER) == zero_id)
return -EINVAL;
with
if (!shm_sb || shmid < 0 || (shmid % SEQ_MULTIPLIER) == zero_id)
return -EINVAL;
Simple program to demonstrate the bug...
#include <sys/ipc.h>
#include <sys/shm.h>
int main(void) {
shmat(-1,0,0);
return 0;
}
Rich
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
