shm.c: check for ulong overflows in shmat

Manfred Spraul Sat, 19 Apr 2014 04:46:27 -0700

find_vma_intersection does not work properly if addr+size overflows.
The patch adds a manual check before the call to find_vma_intersection.


Signed-off-by: Manfred Spraul <manf...@colorfullife.com>
---
 ipc/shm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipc/shm.c b/ipc/shm.c
index 7645961..382e2fb 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1160,6 +1160,9 @@ long do_shmat(int shmid, char __user *shmaddr, int 
shmflg, ulong *raddr,
        down_write(&current->mm->mmap_sem);
        if (addr && !(shmflg & SHM_REMAP)) {
                err = -EINVAL;
+               if (addr + size < addr)
+                       goto invalid;
+
                if (find_vma_intersection(current->mm, addr, addr + size))
                        goto invalid;
                /*
-- 
1.9.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH 1/4] ipc/shm.c: check for ulong overflows in shmat

Reply via email to