Missing overflow check in mmap

Missing overflow check in mmap

[Andreas Schwab]

Calling mmap with len = -1 was silently accepted.

Andreas.

--- linux-2.6.5/arch/ia64/kernel/sys_ia64.c.~1~	2004-04-04 05:37:23.000000000 +0200
+++ linux-2.6.5/arch/ia64/kernel/sys_ia64.c	2004-04-05 18:16:24.424002264 +0200
@@ -201,10 +201,16 @@ do_mmap2 (unsigned long addr, unsigned l
 	 * A zero mmap always succeeds in Linux, independent of whether or not the
 	 * remaining arguments are valid.
 	 */
-	len = PAGE_ALIGN(len);
 	if (len = 0)
 		goto out;
 
+	/* Careful about overflows.. */
+	len = PAGE_ALIGN(len);
+	if (!len || len > TASK_SIZE) {
+		addr = -EINVAL;
+		goto out;
+	}
+
 	/*
 	 * Don't permit mappings into unmapped space, the virtual page table of a region,
 	 * or across a region boundary.  Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux AG, Maxfeldstraße 5, 90409 Nürnberg, Germany
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Missing overflow check in mmap

[David Mosberger]

>>>>> On Mon, 05 Apr 2004 18:49:45 +0200, Andreas Schwab <schwab@suse.de> said:

  Andreas> Calling mmap with len = -1 was silently accepted.

Looks like the generic code was fixed last July, but the fix never
made it into the ia64-specific check.

Thanks for the patch,

	--david