On 04/21/2014 04:26 PM, Manfred Spraul wrote:
> find_vma_intersection does not work as intended if addr+size overflows.
> The patch adds a manual check before the call to find_vma_intersection.
>
> Signed-off-by: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
> ---
> ipc/shm.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/ipc/shm.c b/ipc/shm.c
> index 7645961..382e2fb 100644
> --- a/ipc/shm.c
> +++ b/ipc/shm.c
> @@ -1160,6 +1160,9 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
> down_write(¤t->mm->mmap_sem);
> if (addr && !(shmflg & SHM_REMAP)) {
> err = -EINVAL;
> + if (addr + size < addr)
> + goto invalid;
> +
> if (find_vma_intersection(current->mm, addr, addr + size))
> goto invalid;
> /*
>
Acked-by: Michael Kerrisk <mtk.manpages@xxxxxxxxx>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>