Skip to content

Commit 5ec1055

Browse files
LarryWoodmantorvalds
LarryWoodman
authored and
torvalds
committed
Avoid pgoff overflow in remap_file_pages
Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by: Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by: Larry Woodman <lwoodman@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 8ae0925 commit 5ec1055

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

mm/fremap.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
141141
if (start + size <= start)
142142
return err;
143143

144+
/* Does pgoff wrap? */
145+
if (pgoff + (size >> PAGE_SHIFT) < pgoff)
146+
return err;
147+
144148
/* Can we represent this offset inside this architecture's pte's? */
145149
#if PTE_FILE_MAX_BITS < BITS_PER_LONG
146150
if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))

0 commit comments

Comments
 (0)