636383 – kernel: possible integer overflow in mm/fremap.c

Bug 636383 - kernel: possible integer overflow in mm/fremap.c

Summary: kernel: possible integer overflow in mm/fremap.c

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	637042 637043 637044 637045 637046 637047 637048 637049
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-22 03:15 UTC by Eugene Teo (Security Response)
Modified:	2023-12-01 05:42 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-12-01 05:42:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Eugene Teo (Security Response) 2010-09-22 03:15:47 UTC

Description of problem:
Reported by Thomas Pollet.

In mm/fremap.c :

  146 #if PTE_FILE_MAX_BITS < BITS_PER_LONG
  147         if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))
  148                 return err;

the first part of the if statement could overflow .

attached is some code that implements remap_file_pages if you want to check it: if run like ./a.out 6710886 10000, for example, the pgoff survives as a negative value and is used.

Acknowledgements:

Red Hat would like to thank Thomas Pollet for reporting this issue.

Comment 8 Eugene Teo (Security Response) 2010-10-12 07:02:48 UTC

Upstream commit:
http://git.kernel.org/linus/5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06

Comment 15 Wade Mealing 2023-12-01 05:42:25 UTC

Closing, because this is not shipping inc code we support anymore.

Note You need to log in before you can comment on or make changes to this bug.