From: Jerome Marchand <jmarchan@redhat.com>
Date: Thu, 9 Sep 2010 23:37:59 +0000 (-0700)
Subject: kernel/groups.c: fix integer overflow in groups_search
X-Git-Tag: firefly_0821_release~10186^2~1003
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=0776127797119f67f8bc350938e32dbe68631edc;p=firefly-linux-kernel-4.4.55.git

kernel/groups.c: fix integer overflow in groups_search

commit 1c24de60e50fb19b94d94225458da17c720f0729 upstream.

gid_t is a unsigned int.  If group_info contains a gid greater than
MAX_INT, groups_search() function may look on the wrong side of the search
tree.

This solves some unfair "permission denied" problems.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/kernel/groups.c b/kernel/groups.c
index 2b45b2ee3964..f0c2528f56fe 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -143,10 +143,9 @@ int groups_search(const struct group_info *group_info, gid_t grp)
 	right = group_info->ngroups;
 	while (left < right) {
 		unsigned int mid = (left+right)/2;
-		int cmp = grp - GROUP_AT(group_info, mid);
-		if (cmp > 0)
+		if (grp > GROUP_AT(group_info, mid))
 			left = mid + 1;
-		else if (cmp < 0)
+		else if (grp < GROUP_AT(group_info, mid))
 			right = mid;
 		else
 			return 1;