[PATCH] Fix compat shmget overflow

This fixes an incorrect sign extension in the compat layer that breaks 32bit shmget that are >2GB. sys_shmget has a signed size_t size argument, and the int size argument coming from 32bit user space would get sign extended to 64bit, which is wrong. I fixed it on all compat architectures, except PPC64 which was already ok. It was originally debugged and fixed by Karl Rister @ IBM for SLES9 on x86-64. Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] Fix compat shmget overflow
This fixes an incorrect sign extension in the compat layer that breaks 32bit shmget that are >2GB. sys_shmget has a signed size_t size argument, and the int size argument coming from 32bit user space would get sign extended to 64bit, which is wrong. I fixed it on all compat architectures, except PPC64 which was already ok. It was originally debugged and fixed by Karl Rister @ IBM for SLES9 on x86-64. Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
1e8a9345 · Andi Kleen · Linus Torvalds · 46f4fe4b · 1e8a9345 · 1e8a9345
Commit 1e8a9345 authored Feb 09, 2005 by Andi Kleen Committed by Linus Torvalds Feb 09, 2005
5 changed files
--- a/arch/ia64/ia32/sys_ia32.c
+++ b/arch/ia64/ia32/sys_ia32.c
@@ -1415,7 +1415,7 @@ sys32_ipc(u32 call, int first, int second, int third, u32 ptr, u32 fifth)
 	      case SHMDT:
 		return sys_shmdt(compat_ptr(ptr));
 	      case SHMGET:
-		return sys_shmget(first, second, third);
+		return sys_shmget(first, (unsigned)second, third);
 	      case SHMCTL:
 		return compat_sys_shmctl(first, second, compat_ptr(ptr));


--- a/arch/mips/kernel/linux32.c
+++ b/arch/mips/kernel/linux32.c
@@ -1115,7 +1115,7 @@ sys32_ipc (u32 call, int first, int second, int third, u32 ptr, u32 fifth)
 		err = sys_shmdt ((char *)A(ptr));
 		break;
 	case SHMGET:
-		err = sys_shmget (first, second, third);
+		err = sys_shmget (first, (unsigned)second, third);
 		break;
 	case SHMCTL:
 		err = do_sys32_shmctl (first, second, (void *)AA(ptr));

--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -331,7 +331,7 @@ asmlinkage long sys32_ipc(u32 call, int first, int second, int third, u32 ptr)
 	case SHMDT:
 		return sys_shmdt(compat_ptr(ptr));
 	case SHMGET:
-		return sys_shmget(first, second, third);
+		return sys_shmget(first, (unsigned)second, third);
 	case SHMCTL:
 		return compat_sys_shmctl(first, second, compat_ptr(ptr));
 	}

--- a/arch/sparc64/kernel/sys_sparc32.c
+++ b/arch/sparc64/kernel/sys_sparc32.c
@@ -835,7 +835,7 @@ asmlinkage long compat_sys_ipc(u32 call, int first, int second, int third, compa
 			err = sys_shmdt(ptr);
 			goto out;
 		case SHMGET:
-			err = sys_shmget(first, second, third);
+			err = sys_shmget(first, (unsigned)second, third);
 			goto out;
 		case SHMCTL:
 			err = do_sys32_shmctl(first, second, ptr);

--- a/arch/x86_64/ia32/ipc32.c
+++ b/arch/x86_64/ia32/ipc32.c
@@ -49,7 +49,7 @@ sys32_ipc(u32 call, int first, int second, int third,
 	      case SHMDT:
 		return sys_shmdt(compat_ptr(ptr));
 	      case SHMGET:
-		return sys_shmget(first, second, third);
+		return sys_shmget(first, (unsigned)second, third);
 	      case SHMCTL:
 		return compat_sys_shmctl(first, second, compat_ptr(ptr));
 	}