On 12/03/2014 08:51 PM, Naoya Horiguchi wrote: > On Wed, Dec 03, 2014 at 07:24:07PM -0500, Sasha Levin wrote: >> > "offset + len" has the potential of overflowing. Validate this user input >> > first to avoid undefined behaviour. >> > >> > Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx> >> > --- >> > mm/shmem.c | 3 +++ >> > 1 file changed, 3 insertions(+) >> > >> > diff --git a/mm/shmem.c b/mm/shmem.c >> > index 185836b..5a0e344 100644 >> > --- a/mm/shmem.c >> > +++ b/mm/shmem.c >> > @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, >> > } >> > >> > /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ >> > + error = -EOVERFLOW; >> > + if ((u64)len + offset < (u64)len) >> > + goto out; > Hi Sasha, > > It seems to me that we already do some overflow check in common path, > do_fallocate(): > > /* Check for wrap through zero too */ > if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) > return -EFBIG; > > Do we really need another check? It looks like we actually need to fix this snippet you pasted rather than shmem_fallocate(). We can't check for ((offset + len) < 0) since both offset and length are signed integers. I'll send a patch to deal with that rather that this shmem specific one. Thanks! Thanks, Sasha -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>