[PATCH] Fix madvise length checking

Fix http://bugme.osdl.org/show_bug.cgi?id=2710. When the user passed madvise a length of -1 through -4095, madvise blindly rounds this up to 0 then "succeeds".
author: Andrew Morton <akpm@osdl.org> 2004-05-19 02:34:55 -0700
committer: Linus Torvalds <torvalds@ppc970.osdl.org> 2004-05-19 02:34:55 -0700
commit: f7efcc03fbd1c63fe361bf1a52363c947e557a8c (patch)
tree: 716af09bdc28396da9f75df3363d8aba646ba739 /mm
parent: c2273c8750fbc74c512edaa900847ed9fa53adde (diff)
download: history-f7efcc03fbd1c63fe361bf1a52363c947e557a8c.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/mm/madvise.c b/mm/madvise.c
index 81c4ea30c75e60..4b1360317c7cf7 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -170,18 +170,24 @@ static long madvise_vma(struct vm_area_struct * vma, unsigned long start,
  *  -EBADF  - map exists, but area maps something that isn't a file.
  *  -EAGAIN - a kernel resource was temporarily unavailable.
  */
-asmlinkage long sys_madvise(unsigned long start, size_t len, int behavior)
+asmlinkage long sys_madvise(unsigned long start, size_t len_in, int behavior)
 {
 	unsigned long end;
 	struct vm_area_struct * vma;
 	int unmapped_error = 0;
 	int error = -EINVAL;
+	size_t len;
 
 	down_write(&current->mm->mmap_sem);
 
 	if (start & ~PAGE_MASK)
 		goto out;
-	len = (len + ~PAGE_MASK) & PAGE_MASK;
+	len = (len_in + ~PAGE_MASK) & PAGE_MASK;
+
+	/* Check to see whether len was rounded up from small -ve to zero */
+	if (len_in && !len)
+		goto out;
+
 	end = start + len;
 	if (end < start)
 		goto out;
author	Andrew Morton <akpm@osdl.org>	2004-05-19 02:34:55 -0700
committer	Linus Torvalds <torvalds@ppc970.osdl.org>	2004-05-19 02:34:55 -0700
commit	f7efcc03fbd1c63fe361bf1a52363c947e557a8c (patch)
tree	716af09bdc28396da9f75df3363d8aba646ba739 /mm
parent	c2273c8750fbc74c512edaa900847ed9fa53adde (diff)
download	history-f7efcc03fbd1c63fe361bf1a52363c947e557a8c.tar.gz