ipc/shm.c: check for integer overflow during shmget.
authorManfred Spraul <manfred@colorfullife.com>
Fri, 6 Jun 2014 21:37:41 +0000 (14:37 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 6 Jun 2014 23:08:14 +0000 (16:08 -0700)
SHMMAX is the upper limit for the size of a shared memory segment, counted
in bytes.  The actual allocation is that size, rounded up to the next full
page.

Add a check that prevents the creation of segments where the rounded up
size causes an integer overflow.

Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ipc/shm.c

index 9e51bf24634463d5ec0e493a6888173d57ac7b0a..89fc354156cb918342751f72e1017727877d86e0 100644 (file)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
        if (size < SHMMIN || size > ns->shm_ctlmax)
                return -EINVAL;
 
+       if (numpages << PAGE_SHIFT < size)
+               return -ENOSPC;
+
        if (ns->shm_tot + numpages < ns->shm_tot ||
                        ns->shm_tot + numpages > ns->shm_ctlall)
                return -ENOSPC;