[PATCH 1/1] ipc: sem: fix used_sems overflow in newary()

[PATCH 1/1] ipc: sem: fix used_sems overflow in newary()

[Ren Wei]

From: Ruide Cao <caoruide123@gmail.com>

newary() checks namespace-wide semaphore usage before creating a new
array, but the current accounting uses a plain signed addition.

If the accumulated semaphore count overflows, the limit check can fail
open and allow allocations past sc_semmns, breaking namespace semaphore
resource enforcement and potentially leading to resource exhaustion.

Fix this by using check_add_overflow() before comparing the new total
against sc_semmns, and reject overflow the same way as a true limit
exceed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 ipc/sem.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipc/sem.c b/ipc/sem.c
index 6cdf862b1f5c..00c45de33c46 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -535,11 +535,13 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 	key_t key = params->key;
 	int nsems = params->u.nsems;
 	int semflg = params->flg;
+	int total_sems;
 	int i;
 
 	if (!nsems)
 		return -EINVAL;
-	if (ns->used_sems + nsems > ns->sc_semmns)
+	if (check_add_overflow(ns->used_sems, nsems, &total_sems) ||
+	    total_sems > ns->sc_semmns)
 		return -ENOSPC;
 
 	sma = sem_alloc(nsems);
-- 
2.34.1