diff options
| author | Alexey Dobriyan <adobriyan@gmail.com> | 2018-02-06 15:39:13 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-02-06 18:32:45 -0800 |
| commit | 60c9d92f887f4606d363fece7a36c92664dc64c6 (patch) | |
| tree | 781eee237ca913cbb4e1b80d20c87226ee48f5b5 /fs/binfmt_elf.c | |
| parent | 2d453e3b41c80d1a2c02b02d672f5dcd73f95a12 (diff) | |
| download | linux-60c9d92f887f4606d363fece7a36c92664dc64c6.tar.gz linux-60c9d92f887f4606d363fece7a36c92664dc64c6.tar.bz2 linux-60c9d92f887f4606d363fece7a36c92664dc64c6.zip | |
elf: fix NT_FILE integer overflow
If vm.max_map_count bumped above 2^26 (67+ mil) and system has enough RAM
to allocate all the VMAs (~12.8 GB on Fedora 27 with 200-byte VMAs), then
it should be possible to overflow 32-bit "size", pass paranoia check,
allocate very little vmalloc space and oops while writing into vmalloc
guard page...
But I didn't test this, only coredump of regular process.
Link: http://lkml.kernel.org/r/20180112203427.GA9109@avx2
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/binfmt_elf.c')
| -rw-r--r-- | fs/binfmt_elf.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 83732fef510d..bdb201230bae 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1599,6 +1599,8 @@ static int fill_files_note(struct memelfnote *note) /* *Estimated* file count and total data size needed */ count = current->mm->map_count; + if (count > UINT_MAX / 64) + return -EINVAL; size = count * 64; names_ofs = (2 + 3 * count) * sizeof(data[0]); |