Bug 636383

Summary: kernel: possible integer overflow in mm/fremap.c
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: arozansk, bhu, jkacur, kzhang, lgoncalv, peterm, plyons, pmatouse, rkhan, vgoyal, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-01 05:42:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 637042, 637043, 637044, 637045, 637046, 637047, 637048, 637049    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-09-22 03:15:47 UTC 
Description of problem:
Reported by Thomas Pollet.

In mm/fremap.c :

  146 #if PTE_FILE_MAX_BITS < BITS_PER_LONG
  147         if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))
  148                 return err;

the first part of the if statement could overflow .

attached is some code that implements remap_file_pages if you want to check it: if run like ./a.out 6710886 10000, for example, the pgoff survives as a negative value and is used.

Acknowledgements:

Red Hat would like to thank Thomas Pollet for reporting this issue.
Comment 8 Eugene Teo (Security Response) 2010-10-12 07:02:48 UTC 
Upstream commit:
http://git.kernel.org/linus/5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06
Comment 15 Wade Mealing 2023-12-01 05:42:25 UTC 
Closing, because this is not shipping inc code we support anymore.