diff options
author | Manfred Spraul | 2014-06-06 14:37:40 -0700 |
---|---|---|
committer | Linus Torvalds | 2014-06-06 16:08:14 -0700 |
commit | 09c6eb1f651dad601f02435bbd79734954960c42 (patch) | |
tree | 8777788a3a4f7ebdc2805cd84d276584ecee3491 | |
parent | 247a8ce8229b16d4ffa9f5125fb6583aa749679d (diff) |
ipc/shm.c: check for overflows of shm_tot
shm_tot counts the total number of pages used by shm segments.
If SHMALL is ULONG_MAX (or nearly ULONG_MAX), then the number can
overflow. Subsequent calls to shmctl(,SHM_INFO,) would return wrong
values for shm_tot.
The patch adds a detection for overflows.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Acked-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | ipc/shm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ipc/shm.c b/ipc/shm.c index dda8f1ff3c35..9e51bf246344 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -493,7 +493,8 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) if (size < SHMMIN || size > ns->shm_ctlmax) return -EINVAL; - if (ns->shm_tot + numpages > ns->shm_ctlall) + if (ns->shm_tot + numpages < ns->shm_tot || + ns->shm_tot + numpages > ns->shm_ctlall) return -ENOSPC; shp = ipc_rcu_alloc(sizeof(*shp)); |