Avoid pgoff overflow in remap_file_pages (5ec1055a) · Commits · e / devices / android_kernel_xiaomi_markw

Thomas Pollet noticed that the remap_file_pages() system call in fremap.c has a potential overflow in the first part of the if statement below, which could cause it to process bogus input parameters. Specifically the pgoff + size parameters could be wrap thereby preventing the system call from failing when it should. Reported-by:

Thomas Pollet <thomas.pollet@gmail.com> Signed-off-by:

Larry Woodman <lwoodman@redhat.com> Signed-off-by:

Linus Torvalds <torvalds@linux-foundation.org>

mm/fremap.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -141,6 +141,10 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
	if (start + size <= start)		if (start + size <= start)
	return err;		return err;

			/* Does pgoff wrap? */
			if (pgoff + (size >> PAGE_SHIFT) < pgoff)
			return err;

	/* Can we represent this offset inside this architecture's pte's? */		/* Can we represent this offset inside this architecture's pte's? */
	#if PTE_FILE_MAX_BITS < BITS_PER_LONG		#if PTE_FILE_MAX_BITS < BITS_PER_LONG
	if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))		if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))