ipc/shm.c: check for integer overflow during shmget.
SHMMAX is the upper limit for the size of a shared memory segment, counted in bytes. The actual allocation is that size, rounded up to the next full page. Add a check that prevents the creation of segments where the rounded up size causes an integer overflow. Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Acked-by: Davidlohr Bueso <davidlohr@hp.com> Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
09c6eb1f65
commit
1376327ce1
@ -493,6 +493,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
||||
if (size < SHMMIN || size > ns->shm_ctlmax)
|
||||
return -EINVAL;
|
||||
|
||||
if (numpages << PAGE_SHIFT < size)
|
||||
return -ENOSPC;
|
||||
|
||||
if (ns->shm_tot + numpages < ns->shm_tot ||
|
||||
ns->shm_tot + numpages > ns->shm_ctlall)
|
||||
return -ENOSPC;
|
||||
|
Loading…
Reference in New Issue
Block a user