kexec: ensure user memory sizes do not wrap
authorRussell King <rmk+kernel@arm.linux.org.uk>
Tue, 2 Aug 2016 21:05:57 +0000 (14:05 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 2 Aug 2016 23:35:26 +0000 (19:35 -0400)
Ensure that user memory sizes do not wrap around when validating the
user input, which can lead to the following input validation working
incorrectly.

[akpm@linux-foundation.org: fix it for kexec-return-error-number-directly.patch]
Link: http://lkml.kernel.org/r/E1b8koF-0004HM-5x@rmk-PC.armlinux.org.uk
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Reviewed-by: Pratyush Anand <panand@redhat.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Keerthy <j-keerthy@ti.com>
Cc: Vitaly Andrianov <vitalya@ti.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Simon Horman <horms@verge.net.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/kexec_core.c

index 23311c803b1b880f73bf962893961bd76ca9f32b..5a83b2a9d5848bbdafd124a53e9aa8a0fcfa54f5 100644 (file)
@@ -168,6 +168,8 @@ int sanity_check_segment_list(struct kimage *image)
 
                mstart = image->segment[i].mem;
                mend   = mstart + image->segment[i].memsz;
+               if (mstart > mend)
+                       return -EADDRNOTAVAIL;
                if ((mstart & ~PAGE_MASK) || (mend & ~PAGE_MASK))
                        return -EADDRNOTAVAIL;
                if (mend >= KEXEC_DESTINATION_MEMORY_LIMIT)