SHMMAX is the upper limit of a shared memory segment, counted in bytes. The actual allocation is that size, rounded up to the next full page. Add a check that prevents the creation of segments where the rounded up size causes an integer overflow. Signed-off-by: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx> --- ipc/shm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipc/shm.c b/ipc/shm.c index 2dfa3d6..f000696 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) if (size < SHMMIN || size > ns->shm_ctlmax) return -EINVAL; + if (numpages << PAGE_SHIFT < size) + return -ENOSPC; + if (ns->shm_tot + numpages < ns->shm_tot || ns->shm_tot + numpages > ns->shm_ctlall) return -ENOSPC; -- 1.9.0 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>