Re: kernel: avoid pgoff overflow in remap_file_pages

[Thomas Pollet <thomas.pollet () gmail com>]

fwiw, this check :

if (pgoff + (size >> PAGE_SHIFT) >= (1UL << PTE_FILE_MAX_BITS))

is done to make sure the most significant bits are zero
pgoff is later used to create a page table entry

set_pte_at(mm, addr, pte, pgoff_to_pte(pgoff));

the other bits of the pte_t are reserved for the page status bits.
The exact implementation is architecture dependent.

Regards,
Thomas


On 12 October 2010 09:19, Eugene Teo <eugene () redhat com> wrote:
> Thomas Pollet reported an integer overflow issue in remap_file_pages().
> While we are able to reproduce the issue, we are unable to find a security
> impact. If your views differ, do let us know.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=636383
> http://git.kernel.org/linus/5ec1055aa5632dd7a8283cdb5fa9be3c535eaa06
>
> Thanks, Eugene
> --
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }