Subject: + ipc-shmc-check-for-integer-overflow-during-shmget.patch added to -mm tree
To: manfred@xxxxxxxxxxxxxxxx,davidlohr@xxxxxx,kosaki.motohiro@xxxxxxxxxxxxxx,mtk.manpages@xxxxxxxxx
From: akpm@xxxxxxxxxxxxxxxxxxxx
Date: Wed, 23 Apr 2014 15:38:34 -0700
The patch titled
Subject: ipc/shm.c: check for integer overflow during shmget.
has been added to the -mm tree. Its filename is
ipc-shmc-check-for-integer-overflow-during-shmget.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/ipc-shmc-check-for-integer-overflow-during-shmget.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/ipc-shmc-check-for-integer-overflow-during-shmget.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Subject: ipc/shm.c: check for integer overflow during shmget.
SHMMAX is the upper limit for the size of a shared memory segment, counted
in bytes. The actual allocation is that size, rounded up to the next full
page.
Add a check that prevents the creation of segments where the rounded up
size causes an integer overflow.
Signed-off-by: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Acked-by: Davidlohr Bueso <davidlohr@xxxxxx>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@xxxxxxxxxxxxxx>
Acked-by: Michael Kerrisk <mtk.manpages@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
ipc/shm.c | 3 +++
1 file changed, 3 insertions(+)
diff -puN ipc/shm.c~ipc-shmc-check-for-integer-overflow-during-shmget ipc/shm.c
--- a/ipc/shm.c~ipc-shmc-check-for-integer-overflow-during-shmget
+++ a/ipc/shm.c
@@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *
if (size < SHMMIN || size > ns->shm_ctlmax)
return -EINVAL;
+ if (numpages << PAGE_SHIFT < size)
+ return -ENOSPC;
+
if (ns->shm_tot + numpages < ns->shm_tot ||
ns->shm_tot + numpages > ns->shm_ctlall)
return -ENOSPC;
_
Patches currently in -mm which might be from manfred@xxxxxxxxxxxxxxxx are
ipc-constify-ipc_ops.patch
ipc-shmc-check-for-ulong-overflows-in-shmat.patch
ipc-shmc-check-for-overflows-of-shm_tot.patch
ipc-shmc-check-for-integer-overflow-during-shmget.patch
ipc-shmc-increase-the-defaults-for-shmall-shmmax.patch
slab-leaks3-default-y.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
