diff options
author | Andrew Morton <akpm@osdl.org> | 2004-05-19 02:34:55 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2004-05-19 02:34:55 -0700 |
commit | f7efcc03fbd1c63fe361bf1a52363c947e557a8c (patch) | |
tree | 716af09bdc28396da9f75df3363d8aba646ba739 /mm | |
parent | c2273c8750fbc74c512edaa900847ed9fa53adde (diff) | |
download | history-f7efcc03fbd1c63fe361bf1a52363c947e557a8c.tar.gz |
[PATCH] Fix madvise length checking
Fix http://bugme.osdl.org/show_bug.cgi?id=2710.
When the user passed madvise a length of -1 through -4095, madvise blindly
rounds this up to 0 then "succeeds".
Diffstat (limited to 'mm')
-rw-r--r-- | mm/madvise.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/mm/madvise.c b/mm/madvise.c index 81c4ea30c75e60..4b1360317c7cf7 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -170,18 +170,24 @@ static long madvise_vma(struct vm_area_struct * vma, unsigned long start, * -EBADF - map exists, but area maps something that isn't a file. * -EAGAIN - a kernel resource was temporarily unavailable. */ -asmlinkage long sys_madvise(unsigned long start, size_t len, int behavior) +asmlinkage long sys_madvise(unsigned long start, size_t len_in, int behavior) { unsigned long end; struct vm_area_struct * vma; int unmapped_error = 0; int error = -EINVAL; + size_t len; down_write(¤t->mm->mmap_sem); if (start & ~PAGE_MASK) goto out; - len = (len + ~PAGE_MASK) & PAGE_MASK; + len = (len_in + ~PAGE_MASK) & PAGE_MASK; + + /* Check to see whether len was rounded up from small -ve to zero */ + if (len_in && !len) + goto out; + end = start + len; if (end < start) goto out; |