From: Manfred Spraul Date: Fri, 6 Jun 2014 21:37:40 +0000 (-0700) Subject: ipc/shm.c: check for overflows of shm_tot X-Git-Tag: firefly_0821_release~176^2~3820^2~4^2~57 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=09c6eb1f651dad601f02435bbd79734954960c42;p=firefly-linux-kernel-4.4.55.git ipc/shm.c: check for overflows of shm_tot shm_tot counts the total number of pages used by shm segments. If SHMALL is ULONG_MAX (or nearly ULONG_MAX), then the number can overflow. Subsequent calls to shmctl(,SHM_INFO,) would return wrong values for shm_tot. The patch adds a detection for overflows. Signed-off-by: Manfred Spraul Acked-by: Davidlohr Bueso Acked-by: KOSAKI Motohiro Acked-by: Michael Kerrisk Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/ipc/shm.c b/ipc/shm.c index dda8f1ff3c35..9e51bf246344 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -493,7 +493,8 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) if (size < SHMMIN || size > ns->shm_ctlmax) return -EINVAL; - if (ns->shm_tot + numpages > ns->shm_ctlall) + if (ns->shm_tot + numpages < ns->shm_tot || + ns->shm_tot + numpages > ns->shm_ctlall) return -ENOSPC; shp = ipc_rcu_alloc(sizeof(*shp));