Avoid pgoff overflow in remap_file_pages

Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: Thomas Pollet <[email protected]> Signed-off-by: Larry Woodman <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
mna · Sep 25, 2010 · 5ec1055 · 5ec1055
1 parent 8ae0925
commit 5ec1055
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/mm/fremap.c b/mm/fremap.c
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
 	if (start + size <= start)
 		return err;
 
+	/* Does pgoff wrap? */
+	if (pgoff + (size >> PAGE_SHIFT) < pgoff)
+		return err;
+
 	/* Can we represent this offset inside this architecture's pte's? */
 #if PTE_FILE_MAX_BITS < BITS_PER_LONG
 	if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))