On 04/14/16 at 09:00pm, Russell King wrote: > Ensure that user memory sizes do not wrap around when validating the > user input, which can lead to the following input validation working > incorrectly. > > Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk> > --- > kernel/kexec_core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c > index 8d34308ea449..d719a4d0ef55 100644 > --- a/kernel/kexec_core.c > +++ b/kernel/kexec_core.c > @@ -169,6 +169,8 @@ int sanity_check_segment_list(struct kimage *image) > > mstart = image->segment[i].mem; > mend = mstart + image->segment[i].memsz; > + if (mstart > mend) > + return result; The type of image->segment[i].memsz is unsigned. So it is no need to have a test here. The next several test will catch if image->segment[i].memsz is equal to 0. Thanks Minfei > if ((mstart & ~PAGE_MASK) || (mend & ~PAGE_MASK)) > return result; > if (mend >= KEXEC_DESTINATION_MEMORY_LIMIT) > -- > 2.1.0 > > > _______________________________________________ > kexec mailing list > kexec at lists.infradead.org > http://lists.infradead.org/mailman/listinfo/kexec