[PATCH] Fix madvise length checking

Fix http://bugme.osdl.org/show_bug.cgi?id=2710. When the user passed madvise a length of -1 through -4095, madvise blindly rounds this up to 0 then "succeeds".

[PATCH] Fix madvise length checking
Fix http://bugme.osdl.org/show_bug.cgi?id=2710. When the user passed madvise a length of -1 through -4095, madvise blindly rounds this up to 0 then "succeeds".
f7efcc03 · Andrew Morton · Linus Torvalds · c2273c87 · f7efcc03
Commit f7efcc03 authored May 19, 2004 by Andrew Morton Committed by Linus Torvalds May 19, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

mm/madvise.c mm/madvise.c +8 -2

No files found.
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -170,18 +170,24 @@ static long madvise_vma(struct vm_area_struct * vma, unsigned long start,
 *  -EBADF  - map exists, but area maps something that isn't a file.
 *  -EAGAIN - a kernel resource was temporarily unavailable.
 */
-asmlinkage long sys_madvise(unsigned long start, size_t len, int behavior)
+asmlinkage long sys_madvise(unsigned long start, size_t len_in, int behavior)
 {
 	unsigned long end;
 	struct vm_area_struct * vma;
 	int unmapped_error = 0;
 	int error = -EINVAL;
+	size_t len;

 	down_write(&current->mm->mmap_sem);

 	if (start & ~PAGE_MASK)
 		goto out;
-	len = (len + ~PAGE_MASK) & PAGE_MASK;
+	len = (len_in + ~PAGE_MASK) & PAGE_MASK;
+
+	/* Check to see whether len was rounded up from small -ve to zero */
+	if (len_in && !len)
+		goto out;
+
 	end = start + len;
 	if (end < start)
 		goto out;