aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManfred Spraul2014-06-06 14:37:40 -0700
committerLinus Torvalds2014-06-06 16:08:14 -0700
commit09c6eb1f651dad601f02435bbd79734954960c42 (patch)
tree8777788a3a4f7ebdc2805cd84d276584ecee3491
parent247a8ce8229b16d4ffa9f5125fb6583aa749679d (diff)
ipc/shm.c: check for overflows of shm_tot
shm_tot counts the total number of pages used by shm segments. If SHMALL is ULONG_MAX (or nearly ULONG_MAX), then the number can overflow. Subsequent calls to shmctl(,SHM_INFO,) would return wrong values for shm_tot. The patch adds a detection for overflows. Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Acked-by: Davidlohr Bueso <davidlohr@hp.com> Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--ipc/shm.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/ipc/shm.c b/ipc/shm.c
index dda8f1ff3c35..9e51bf246344 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -493,7 +493,8 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
if (size < SHMMIN || size > ns->shm_ctlmax)
return -EINVAL;
- if (ns->shm_tot + numpages > ns->shm_ctlall)
+ if (ns->shm_tot + numpages < ns->shm_tot ||
+ ns->shm_tot + numpages > ns->shm_ctlall)
return -ENOSPC;
shp = ipc_rcu_alloc(sizeof(*shp));