1 From 7edc8b0ac16cbaed7cb4ea4c6b95ce98d2997e84 Mon Sep 17 00:00:00 2001
2 From: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
3 Date: Tue, 29 May 2012 15:06:22 -0700
4 Subject: mm/fork: fix overflow in vma length when copying mmap on clone
6 From: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
8 commit 7edc8b0ac16cbaed7cb4ea4c6b95ce98d2997e84 upstream.
10 The vma length in dup_mmap is calculated and stored in a unsigned int,
11 which is insufficient and hence overflows for very large maps (beyond
12 16TB). The following program demonstrates this:
18 #define GIG 1024 * 1024 * 1024L
27 for (i = 0; i < EXTENT; i++) {
28 m = mmap(NULL, (size_t) 1 * 1024 * 1024 * 1024L,
29 PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
32 printf("MMAP Failed: %d\n", m);
34 printf("%d : MMAP returned %p\n", i, m);
39 printf("%d: successed\n", i);
42 printf("FORK Failed: %d\n", r);
49 Increase the storage size of the result to unsigned long, which is
50 sufficient for storing the difference between addresses.
52 Signed-off-by: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
53 Cc: Tejun Heo <tj@kernel.org>
54 Cc: Oleg Nesterov <oleg@redhat.com>
55 Cc: Jens Axboe <axboe@kernel.dk>
56 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
57 Acked-by: Hugh Dickins <hughd@google.com>
58 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
59 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
64 1 file changed, 2 insertions(+), 1 deletion(-)
68 @@ -356,7 +356,8 @@ static int dup_mmap(struct mm_struct *mm
71 if (mpnt->vm_flags & VM_ACCOUNT) {
72 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
74 + len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
75 if (security_vm_enough_memory_mm(oldmm, len)) /* sic */