ipc/shm.c: check for integer overflow during shmget. SHMMAX is the upper limit for the size of a shared memory segment, counted in bytes. The actual allocation is that size, rounded up to the next full page. Add a check that prevents the creation of segments where the rounded up size causes an integer overflow. Signed-off-by: Manfred Spraul <[email protected]> Acked-by: Davidlohr Bueso <[email protected]> Acked-by: KOSAKI Motohiro <[email protected]> Acked-by: Michael Kerrisk <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

commit: 1376327ce1f790070ec7128b285e2d8965e760a5 [log] [tgz]
author: Manfred Spraul <[email protected]> Fri Jun 06 14:37:41 2014 -0700
committer: Linus Torvalds <[email protected]> Fri Jun 06 16:08:14 2014 -0700
tree: 6d6c8b14231b487e476e0aa84775173be45ff455
parent: 09c6eb1f651dad601f02435bbd79734954960c42 [diff] [blame]
diff --git a/ipc/shm.c b/ipc/shm.c
index 9e51bf2..89fc354 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c

@@ -493,6 +493,9 @@
 	if (size < SHMMIN || size > ns->shm_ctlmax)
 		return -EINVAL;
 
+	if (numpages << PAGE_SHIFT < size)
+		return -ENOSPC;
+
 	if (ns->shm_tot + numpages < ns->shm_tot ||
 			ns->shm_tot + numpages > ns->shm_ctlall)
 		return -ENOSPC;
commit	1376327ce1f790070ec7128b285e2d8965e760a5	[log] [tgz]
author	Manfred Spraul <[email protected]>	Fri Jun 06 14:37:41 2014 -0700
committer	Linus Torvalds <[email protected]>	Fri Jun 06 16:08:14 2014 -0700
tree	6d6c8b14231b487e476e0aa84775173be45ff455
parent	09c6eb1f651dad601f02435bbd79734954960c42 [diff] [blame]