Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
forked fromtorvalds/linux

Commit045c7a3

Browse files
mjkravetztorvalds
authored andcommitted
hugetlbfs: fix offset overflow in hugetlbfs mmap
If mmap() maps a file, it can be passed an offset into the file at whichthe mapping is to start. Offset could be a negative value whenrepresented as a loff_t. The offset plus length will be used to updatethe file size (i_size) which is also a loff_t.Validate the value of offset and offset + length to make sure they donot overflow and appear as negative.Found by syzcaller with commitff8c0c5 ("mm/hugetlb.c: don't callregion_abort if region_chg fails") applied. Prior to this commit, theoverflow would still occur but we would luckily return ENOMEM.To reproduce: mmap(0, 0x2000, 0, 0x40021, 0xffffffffffffffffULL, 0x8000000000000000ULL);Resulted in, kernel BUG at mm/hugetlb.c:742! Call Trace: hugetlbfs_evict_inode+0x80/0xa0 evict+0x24a/0x620 iput+0x48f/0x8c0 dentry_unlink_inode+0x31f/0x4d0 __dentry_kill+0x292/0x5e0 dput+0x730/0x830 __fput+0x438/0x720 ____fput+0x1a/0x20 task_work_run+0xfe/0x180 exit_to_usermode_loop+0x133/0x150 syscall_return_slowpath+0x184/0x1c0 entry_SYSCALL_64_fastpath+0xab/0xadFixes:ff8c0c5 ("mm/hugetlb.c: don't call region_abort if region_chg fails")Link:http://lkml.kernel.org/r/1491951118-30678-1-git-send-email-mike.kravetz@oracle.comReported-by: Vegard Nossum <vegard.nossum@oracle.com>Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>Cc: Dmitry Vyukov <dvyukov@google.com>Cc: Michal Hocko <mhocko@suse.com>Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent5b7abea commit045c7a3

File tree

1 file changed

+12
-3
lines changed

1 file changed

+12
-3
lines changed

‎fs/hugetlbfs/inode.c‎

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -136,17 +136,26 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
136136
vma->vm_flags |=VM_HUGETLB |VM_DONTEXPAND;
137137
vma->vm_ops=&hugetlb_vm_ops;
138138

139+
/*
140+
* Offset passed to mmap (before page shift) could have been
141+
* negative when represented as a (l)off_t.
142+
*/
143+
if (((loff_t)vma->vm_pgoff <<PAGE_SHIFT)<0)
144+
return-EINVAL;
145+
139146
if (vma->vm_pgoff& (~huge_page_mask(h) >>PAGE_SHIFT))
140147
return-EINVAL;
141148

142149
vma_len= (loff_t)(vma->vm_end-vma->vm_start);
150+
len=vma_len+ ((loff_t)vma->vm_pgoff <<PAGE_SHIFT);
151+
/* check for overflow */
152+
if (len<vma_len)
153+
return-EINVAL;
143154

144155
inode_lock(inode);
145156
file_accessed(file);
146157

147158
ret=-ENOMEM;
148-
len=vma_len+ ((loff_t)vma->vm_pgoff <<PAGE_SHIFT);
149-
150159
if (hugetlb_reserve_pages(inode,
151160
vma->vm_pgoff >>huge_page_order(h),
152161
len >>huge_page_shift(h),vma,
@@ -155,7 +164,7 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
155164

156165
ret=0;
157166
if (vma->vm_flags&VM_WRITE&&inode->i_size<len)
158-
inode->i_size=len;
167+
i_size_write(inode,len);
159168
out:
160169
inode_unlock(inode);
161170

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp