summaryrefslogtreecommitdiffstats
path: root/fs/binfmt_elf.c
diff options
context:
space:
mode:
authorAlexey Dobriyan <adobriyan@gmail.com>2018-02-06 15:39:13 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2018-02-06 18:32:45 -0800
commit60c9d92f887f4606d363fece7a36c92664dc64c6 (patch)
tree781eee237ca913cbb4e1b80d20c87226ee48f5b5 /fs/binfmt_elf.c
parent2d453e3b41c80d1a2c02b02d672f5dcd73f95a12 (diff)
downloadlinux-60c9d92f887f4606d363fece7a36c92664dc64c6.tar.gz
linux-60c9d92f887f4606d363fece7a36c92664dc64c6.tar.bz2
linux-60c9d92f887f4606d363fece7a36c92664dc64c6.zip
elf: fix NT_FILE integer overflow
If vm.max_map_count bumped above 2^26 (67+ mil) and system has enough RAM to allocate all the VMAs (~12.8 GB on Fedora 27 with 200-byte VMAs), then it should be possible to overflow 32-bit "size", pass paranoia check, allocate very little vmalloc space and oops while writing into vmalloc guard page... But I didn't test this, only coredump of regular process. Link: http://lkml.kernel.org/r/20180112203427.GA9109@avx2 Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/binfmt_elf.c')
-rw-r--r--fs/binfmt_elf.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 83732fef510d..bdb201230bae 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1599,6 +1599,8 @@ static int fill_files_note(struct memelfnote *note)
/* *Estimated* file count and total data size needed */
count = current->mm->map_count;
+ if (count > UINT_MAX / 64)
+ return -EINVAL;
size = count * 64;
names_ofs = (2 + 3 * count) * sizeof(data[0]);