From: Larry Woodman <lwoodman@redhat.com>
Date: Fri, 24 Sep 2010 16:04:48 +0000 (-0400)
Subject: Avoid pgoff overflow in remap_file_pages
X-Git-Tag: v2.6.36-rc6~32
X-Git-Url: https://git.kernelconcepts.de/?a=commitdiff_plain;h=5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06;p=karo-tx-linux.git

Avoid pgoff overflow in remap_file_pages

Thomas Pollet noticed that the remap_file_pages() system call in
fremap.c has a potential overflow in the first part of the if statement
below, which could cause it to process bogus input parameters.
Specifically the pgoff + size parameters could be wrap thereby
preventing the system call from failing when it should.

Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Larry Woodman <lwoodman@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

diff --git a/mm/fremap.c b/mm/fremap.c
index 7b7f852848de..ec520c7b28df 100644
--- a/mm/fremap.c
+++ b/mm/fremap.c
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
 	if (start + size <= start)
 		return err;
 
+	/* Does pgoff wrap? */
+	if (pgoff + (size >> PAGE_SHIFT) < pgoff)
+		return err;
+
 	/* Can we represent this offset inside this architecture's pte's? */
 #if PTE_FILE_MAX_BITS < BITS_PER_LONG
 	if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))