arch_get_unmapped_area() could potentially allow a larger than possible
length when using the MAP_FIXED flag. The bound check should come
before the check for MAP_FIXED.
Fixes: ca56c8ee6fa0 (v2.4.3.2 -> v2.4.3.3)
Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
---
arch/sparc/kernel/sys_sparc_32.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
index 082a551897ed..2e0e35420fa3 100644
--- a/arch/sparc/kernel/sys_sparc_32.c
+++ b/arch/sparc/kernel/sys_sparc_32.c
@@ -43,6 +43,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
{
struct vm_unmapped_area_info info;
+ /* See asm-sparc/uaccess.h */
+ if (len > TASK_SIZE - PAGE_SIZE)
+ return -ENOMEM;
+
if (flags & MAP_FIXED) {
/* We do not accept a shared mapping if it would violate
* cache aliasing constraints.
@@ -53,9 +57,6 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
return addr;
}
- /* See asm-sparc/uaccess.h */
- if (len > TASK_SIZE - PAGE_SIZE)
- return -ENOMEM;
if (!addr)
addr = TASK_UNMAPPED_BASE;
--
2.30.2
