On 04/21/2014 04:26 PM, Manfred Spraul wrote: > SHMMAX is the upper limit for the size of a shared memory segment, > counted in bytes. The actual allocation is that size, rounded up to > the next full page. > Add a check that prevents the creation of segments where the > rounded up size causes an integer overflow. > > Signed-off-by: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx> > --- > ipc/shm.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/ipc/shm.c b/ipc/shm.c > index 2dfa3d6..f000696 100644 > --- a/ipc/shm.c > +++ b/ipc/shm.c > @@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) > if (size < SHMMIN || size > ns->shm_ctlmax) > return -EINVAL; > > + if (numpages << PAGE_SHIFT < size) > + return -ENOSPC; > + > if (ns->shm_tot + numpages < ns->shm_tot || > ns->shm_tot + numpages > ns->shm_ctlall) > return -ENOSPC; > Acked-by: Michael Kerrisk <mtk.manpages@xxxxxxxxx> -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>