From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from zg8tmja5ljk3lje4mi4ymjia.icoremail.net (zg8tmja5ljk3lje4mi4ymjia.icoremail.net [209.97.182.222])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id F0B503DC4CC
	for <linux-kernel@vger.kernel.org>; Mon, 11 May 2026 10:43:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.97.182.222
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778496190; cv=none; b=II6vdZtXrgB71NeP8mAQVI6YqRcpL835FpGOWgWYCRdL9w1NXBr9RAebCoBOPeBwdwuxzEVLCKjR3ra+P1szmwo+XluFZZUmyvs/r7dNWRyC22xz6mGWsCygNYgJkrrkHO1wPfsV6U7dzZII8CVlLA5vmBHKZH7pLZ13lnAQzzk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778496190; c=relaxed/simple;
	bh=28yoGMjFROAk07xJWwAVPrxa458TpIBrU5dQfK1tGgU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=tpbRK2p3MAVBV+RzvNJR5RXBjEyYHOkEvJ9xzaZDtPkm5TgqH7/MYVlMSAeywXr4DfqTJ3iv8BuFvIYGZ4FDJUofPy0MZPdRuNEWuTDwOd7wo9er9gAacG7qpBT3rvO9HNAF4vg36+BrpstowpFQJobNfOfpfWrT1Sp3ba3palM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lzu.edu.cn; spf=pass smtp.mailfrom=lzu.edu.cn; arc=none smtp.client-ip=209.97.182.222
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lzu.edu.cn
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lzu.edu.cn
Received: from enjou-Legion-Y7000P-2019.coin-barley.ts.net (unknown [172.23.56.36])
	by app1 (Coremail) with SMTP id ygmowABn2vqtsgFqF6cDAQ--.2964S2;
	Mon, 11 May 2026 18:42:53 +0800 (CST)
From: Ren Wei <n05ec@lzu.edu.cn>
To: linux-kernel@vger.kernel.org
Cc: david@kernel.org,
	arnd@arndb.de,
	ljs@kernel.org,
	kees@kernel.org,
	schuster.simon@siemens-energy.com,
	yuantan098@gmail.com,
	yifanwucs@gmail.com,
	tomapufckgml@gmail.com,
	bird@lzu.edu.cn,
	caoruide123@gmail.com,
	enjou1224z@gmail.com,
	n05ec@lzu.edu.cn
Subject: [PATCH 1/1] ipc: sem: fix used_sems overflow in newary()
Date: Mon, 11 May 2026 18:42:53 +0800
Message-ID: <849fb1fdecd1cc241fd5b032602dbffa90f9dd93.1778477179.git.caoruide123@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1778477179.git.caoruide123@gmail.com>
References: <cover.1778477179.git.caoruide123@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID:ygmowABn2vqtsgFqF6cDAQ--.2964S2
X-Coremail-Antispam: 1UD129KBjvJXoW7trWUtw4kZFW3uF4UKw4kJFb_yoW8Wr1fpF
	WfursrtryDJFy2yFnrt3yI9FWUKa1xJFW7trs3Wa9rZas5Jrs3WryYgFy2vF1DCws09ayF
	yFs09Fyjv39rAFDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUB01xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE
	w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2
	IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1l84ACjcxK6I8E
	87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c
	8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_JrI_
	JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwI
	xGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAa
	w2AFwI0_Jw0_GFylc2xSY4AK6svPMxAIw28IcxkI7VAKI48JMxAIw28IcVCjz48v1sIEY2
	0_Gr4l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8G
	jcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2I
	x0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK
	8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I
	0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUFg4SDUUUU
X-CM-SenderInfo: zqqvvuo6o23hxhgxhubq/1tbiAQEECWoBl+UDvwAAso

From: Ruide Cao <caoruide123@gmail.com>

newary() checks namespace-wide semaphore usage before creating a new
array, but the current accounting uses a plain signed addition.

If the accumulated semaphore count overflows, the limit check can fail
open and allow allocations past sc_semmns, breaking namespace semaphore
resource enforcement and potentially leading to resource exhaustion.

Fix this by using check_add_overflow() before comparing the new total
against sc_semmns, and reject overflow the same way as a true limit
exceed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 ipc/sem.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipc/sem.c b/ipc/sem.c
index 6cdf862b1f5c..00c45de33c46 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -535,11 +535,13 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 	key_t key = params->key;
 	int nsems = params->u.nsems;
 	int semflg = params->flg;
+	int total_sems;
 	int i;
 
 	if (!nsems)
 		return -EINVAL;
-	if (ns->used_sems + nsems > ns->sc_semmns)
+	if (check_add_overflow(ns->used_sems, nsems, &total_sems) ||
+	    total_sems > ns->sc_semmns)
 		return -ENOSPC;
 
 	sma = sem_alloc(nsems);
-- 
2.34.1