shm.c: check for integer overflow during shmget.

Manfred Spraul Sat, 19 Apr 2014 04:45:13 -0700

SHMMAX is the upper limit of a shared memory segment,
counted in bytes. The actual allocation is that size, rounded
up to the next full page.
Add a check that prevents the creation of segments where the
rounded up size causes an integer overflow.


Signed-off-by: Manfred Spraul <manf...@colorfullife.com>
---
 ipc/shm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipc/shm.c b/ipc/shm.c
index 2dfa3d6..f000696 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct 
ipc_params *params)
        if (size < SHMMIN || size > ns->shm_ctlmax)
                return -EINVAL;
 
+       if (numpages << PAGE_SHIFT < size)
+               return -ENOSPC;
+
        if (ns->shm_tot + numpages < ns->shm_tot ||
                        ns->shm_tot + numpages > ns->shm_ctlall)
                return -ENOSPC;
-- 
1.9.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH 3/4] ipc/shm.c: check for integer overflow during shmget.

Reply via email to