Commit 88f48c81 authored by David Howells's avatar David Howells Committed by Linus Torvalds

[PATCH] Fix the mincore() syscall

This fixes the mincore syscall in three ways:

 (1) It moves as much argument checking outside of the semaphore-holding
     region as possible.

 (2) It checks the region parameters against TASK_SIZE so that a 32-bit binary
     on a 64-bit platform will get the right error when calling this syscall
     on a region that overlaps the end of the 32-bit address space.

 (3) It tidies up the VMA checking loop a little.
Signed-Off-By: default avatarDavid Howells <dhowells@redhat.com>
Signed-Off-By: default avatarLinus Torvalds <torvalds@osdl.org>
parent 96b39b5b
...@@ -109,39 +109,45 @@ asmlinkage long sys_mincore(unsigned long start, size_t len, ...@@ -109,39 +109,45 @@ asmlinkage long sys_mincore(unsigned long start, size_t len,
unsigned char __user * vec) unsigned char __user * vec)
{ {
int index = 0; int index = 0;
unsigned long end; unsigned long end, limit;
struct vm_area_struct * vma; struct vm_area_struct * vma;
size_t max;
int unmapped_error = 0; int unmapped_error = 0;
long error = -EINVAL; long error;
down_read(&current->mm->mmap_sem); /* check the arguments */
if (start & ~PAGE_CACHE_MASK)
goto einval;
if (start < FIRST_USER_PGD_NR * PGDIR_SIZE)
goto enomem;
limit = TASK_SIZE;
if (start >= limit)
goto enomem;
max = limit - start;
len = PAGE_CACHE_ALIGN(len);
if (len > max)
goto einval;
if (start & ~PAGE_CACHE_MASK)
goto out;
len = (len + ~PAGE_CACHE_MASK) & PAGE_CACHE_MASK;
end = start + len; end = start + len;
if (end < start)
goto out;
/* check the output buffer whilst holding the lock */
error = -EFAULT; error = -EFAULT;
if (!access_ok(VERIFY_WRITE, vec, len >> PAGE_SHIFT)) down_read(&current->mm->mmap_sem);
goto out;
error = 0; if (!access_ok(VERIFY_WRITE, vec, len >> PAGE_SHIFT))
if (end == start)
goto out; goto out;
/* /*
* If the interval [start,end) covers some unmapped address * If the interval [start,end) covers some unmapped address
* ranges, just ignore them, but return -ENOMEM at the end. * ranges, just ignore them, but return -ENOMEM at the end.
*/ */
vma = find_vma(current->mm, start); error = 0;
for (;;) {
/* Still start < end. */
error = -ENOMEM;
if (!vma)
goto out;
vma = find_vma(current->mm, start);
while (vma) {
/* Here start < vma->vm_end. */ /* Here start < vma->vm_end. */
if (start < vma->vm_start) { if (start < vma->vm_start) {
unmapped_error = -ENOMEM; unmapped_error = -ENOMEM;
...@@ -169,7 +175,15 @@ asmlinkage long sys_mincore(unsigned long start, size_t len, ...@@ -169,7 +175,15 @@ asmlinkage long sys_mincore(unsigned long start, size_t len,
vma = vma->vm_next; vma = vma->vm_next;
} }
/* we found a hole in the area queried if we arrive here */
error = -ENOMEM;
out: out:
up_read(&current->mm->mmap_sem); up_read(&current->mm->mmap_sem);
return error; return error;
einval:
return -EINVAL;
enomem:
return -ENOMEM;
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment