The patch titled Subject: exec-account-for-argv-envp-pointers-fix has been added to the -mm tree. Its filename is exec-account-for-argv-envp-pointers-fix.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/exec-account-for-argv-envp-pointers-fix.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/exec-account-for-argv-envp-pointers-fix.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Subject: exec-account-for-argv-envp-pointers-fix additional commenting from Kees Cc: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Michal Hocko <mhocko@xxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/exec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff -puN fs/exec.c~exec-account-for-argv-envp-pointers-fix fs/exec.c --- a/fs/exec.c~exec-account-for-argv-envp-pointers-fix +++ a/fs/exec.c @@ -226,6 +226,14 @@ static struct page *get_arg_page(struct /* * Since the stack will hold pointers to the strings, we * must account for them as well. + * + * The size calculation is the entire vma while each arg page is + * built, so each time we get here it's calculating how far it + * is currently (rather than each call being just the newly + * added size from the arg page). As a result, we need to + * always add the entire size of the pointers, so that on the + * last call to get_arg_page() we'll actually have the entire + * correct size. */ ptr_size = (bprm->argc + bprm->envc) * sizeof(void *); if (ptr_size > ULONG_MAX - size) _ Patches currently in -mm which might be from akpm@xxxxxxxxxxxxxxxxxxxx are i-need-old-gcc.patch exec-account-for-argv-envp-pointers-fix.patch arm-arch-arm-include-asm-pageh-needs-personalityh.patch ocfs2-old-mle-put-and-release-after-the-function-dlm_add_migration_mle-called-fix.patch ocfs2-dlm-optimization-of-code-while-free-dead-node-locks-checkpatch-fixes.patch mm.patch mm-slub-wrap-cpu_slab-partial-in-config_slub_cpu_partial-fix.patch swap-add-block-io-poll-in-swapin-path-checkpatch-fixes.patch mm-oom_kill-count-global-and-memory-cgroup-oom-kills-fix.patch mm-oom_kill-count-global-and-memory-cgroup-oom-kills-fix-fix.patch mm-swap-sort-swap-entries-before-free-fix.patch mm-vmscan-avoid-thrashing-anon-lru-when-free-file-is-low-fix.patch mm-hwpoison-dissolve-in-use-hugepage-in-unrecoverable-memory-error-fix.patch mm-hugetlb-warn-the-user-when-issues-arise-on-boot-due-to-hugepages-fix.patch mm-improve-readability-of-transparent_hugepage_enabled-fix.patch mm-improve-readability-of-transparent_hugepage_enabled-fix-fix.patch hugetlb-memory_hotplug-prefer-to-use-reserved-pages-for-migration-fix.patch signal-avoid-undefined-behaviour-in-kill_something_info-fix.patch kernel-reboot-add-devm_register_reboot_notifier-fix.patch fault-inject-support-systematic-fault-injection-fix.patch linux-next-rejects.patch powerpc-64s-implement-arch-specific-hardlockup-watchdog-checkpatch-fixes.patch kernel-forkc-export-kernel_thread-to-modules.patch slab-leaks3-default-y.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html