Missing overflow check in mmap

From: Andreas Schwab <schwab_at_suse.de>
Date: 2004-04-06 02:49:45
Calling mmap with len == -1 was silently accepted.

Andreas.

--- linux-2.6.5/arch/ia64/kernel/sys_ia64.c.~1~	2004-04-04 05:37:23.000000000 +0200
+++ linux-2.6.5/arch/ia64/kernel/sys_ia64.c	2004-04-05 18:16:24.424002264 +0200
@@ -201,10 +201,16 @@ do_mmap2 (unsigned long addr, unsigned l
 	 * A zero mmap always succeeds in Linux, independent of whether or not the
 	 * remaining arguments are valid.
 	 */
-	len = PAGE_ALIGN(len);
 	if (len == 0)
 		goto out;
 
+	/* Careful about overflows.. */
+	len = PAGE_ALIGN(len);
+	if (!len || len > TASK_SIZE) {
+		addr = -EINVAL;
+		goto out;
+	}
+
 	/*
 	 * Don't permit mappings into unmapped space, the virtual page table of a region,
 	 * or across a region boundary.  Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux AG, Maxfeldstraße 5, 90409 Nürnberg, Germany
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."
-
To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Received on Mon Apr 5 12:55:29 2004

This archive was generated by hypermail 2.1.8 : 2005-08-02 09:20:25 EST