[PATCH 2.6] Fix mincore cornercases: overflow caused by large "len"

Tue, 25 Jan 2005 18:33:01 -0800 

This patch fixes 2 cornercases of overflow caused by argument len in
sys_mincore():

Case 1: len is so large that will overflow to 0 after page alignment.
E.g. len=(size_t)(-1), i.e. 0xff...ff.
Expected result: it's overflow and return ENOMEM.
Current result: len is aligned to 0, then treated the same as len=0 and
return succeed.
This cornercase has been fixed in do_mmap_pgoff(), and here
sys_mincore() also needs this fix.

Case 2: len is a large number but will not overflow after alignment. But
start+len will overflow.
E.g. len=(size_t)(-PAGE_SIZE), and start>0.
Expected result: it's overflow and return ENOMEM.
Current result: return EINVAL. Looks like considering len as a
non-positive value, probably influenced by manpage. But since the type
of len is size_t, i.e. unsigned, it shouldn't be considered as
non-positive value.
I've also reported this inconsistency to manpage mincore.

Signed-off-by: Gordon Jin <[EMAIL PROTECTED]>

Index: linux-2.6.10/mm/mincore.c
===================================================================
--- linux-2.6.10.orig/mm/mincore.c      2005-01-12 06:59:09.000000000 +0800
+++ linux-2.6.10/mm/mincore.c   2005-01-18 17:29:34.432160185 +0800
@@ -97,8 +97,7 @@ static long mincore_vma(struct vm_area_s
  * return values:
  *  zero    - success
  *  -EFAULT - vec points to an illegal address
- *  -EINVAL - addr is not a multiple of PAGE_CACHE_SIZE,
- *             or len has a nonpositive value
+ *  -EINVAL - addr is not a multiple of PAGE_CACHE_SIZE
  *  -ENOMEM - Addresses in the range [addr, addr + len] are
  *             invalid for the address space of this process, or
  *             specify one or more pages which are not currently
@@ -114,13 +113,18 @@ asmlinkage long sys_mincore(unsigned lon
        int unmapped_error = 0;
        long error = -EINVAL;
 
+       if (!len)
+               return 0;
+
        down_read(&current->mm->mmap_sem);
 
        if (start & ~PAGE_CACHE_MASK)
                goto out;
+
+       error = -ENOMEM;
        len = (len + ~PAGE_CACHE_MASK) & PAGE_CACHE_MASK;
        end = start + len;
-       if (end < start)
+       if (end <= start)       /* overflow */
                goto out;
 
        error = -EFAULT;


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to