summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRussell King <rmk+kernel@arm.linux.org.uk>2016-08-02 23:05:57 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2016-08-03 01:35:26 +0200
commit465d377701dfe6a08a9f361a3fd926dea7f89c74 (patch)
tree12138ab84eed21bfc244408d15179061685cac1d
parentkexec: don't invoke OOM-killer for control page allocation (diff)
downloadlinux-465d377701dfe6a08a9f361a3fd926dea7f89c74.tar.xz
linux-465d377701dfe6a08a9f361a3fd926dea7f89c74.zip
kexec: ensure user memory sizes do not wrap
Ensure that user memory sizes do not wrap around when validating the user input, which can lead to the following input validation working incorrectly. [akpm@linux-foundation.org: fix it for kexec-return-error-number-directly.patch] Link: http://lkml.kernel.org/r/E1b8koF-0004HM-5x@rmk-PC.armlinux.org.uk Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Reviewed-by: Pratyush Anand <panand@redhat.com> Acked-by: Baoquan He <bhe@redhat.com> Cc: Keerthy <j-keerthy@ti.com> Cc: Vitaly Andrianov <vitalya@ti.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Simon Horman <horms@verge.net.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--kernel/kexec_core.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index 23311c803b1b..5a83b2a9d584 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -168,6 +168,8 @@ int sanity_check_segment_list(struct kimage *image)
mstart = image->segment[i].mem;
mend = mstart + image->segment[i].memsz;
+ if (mstart > mend)
+ return -EADDRNOTAVAIL;
if ((mstart & ~PAGE_MASK) || (mend & ~PAGE_MASK))
return -EADDRNOTAVAIL;
if (mend >= KEXEC_DESTINATION_MEMORY_LIMIT)