From 1376327ce1f790070ec7128b285e2d8965e760a5 Mon Sep 17 00:00:00 2001 From: Manfred Spraul Date: Fri, 6 Jun 2014 14:37:41 -0700 Subject: [PATCH] ipc/shm.c: check for integer overflow during shmget. SHMMAX is the upper limit for the size of a shared memory segment, counted in bytes. The actual allocation is that size, rounded up to the next full page. Add a check that prevents the creation of segments where the rounded up size causes an integer overflow. Signed-off-by: Manfred Spraul Acked-by: Davidlohr Bueso Acked-by: KOSAKI Motohiro Acked-by: Michael Kerrisk Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/shm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipc/shm.c b/ipc/shm.c index 9e51bf246344..89fc354156cb 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) if (size < SHMMIN || size > ns->shm_ctlmax) return -EINVAL; + if (numpages << PAGE_SHIFT < size) + return -ENOSPC; + if (ns->shm_tot + numpages < ns->shm_tot || ns->shm_tot + numpages > ns->shm_ctlall) return -ENOSPC; -- 2.34.1