Commit f3c36774 authored by Tiwei Bie's avatar Tiwei Bie Committed by Tirui Yin
Browse files

um: Fix potential integer overflow during physmem setup 

stable inclusion
from stable-v6.6.64
commit a875c023155ea92b75d6323977003e64d92ae7fc
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGO
CVE: CVE-2024-53145

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a875c023155ea92b75d6323977003e64d92ae7fc



--------------------------------

[ Upstream commit a98b7761f697e590ed5d610d87fa12be66f23419 ]

This issue happens when the real map size is greater than LONG_MAX,
which can be easily triggered on UML/i386.

Fixes: fe205bdd ("um: Print minimum physical memory requirement")
Signed-off-by: default avatarTiwei Bie <tiwei.btw@antgroup.com>
Link: https://patch.msgid.link/20240916045950.508910-3-tiwei.btw@antgroup.com


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarTirui Yin <yintirui@huawei.com>
Reviewed-by: default avataryongqiang Liu <liuyongqiang13@huawei.com>
parent a5cbe5b7

arch/um/kernel/physmem.c

+3 −3
Original line number Original line Diff line number Diff line
@@ -80,10 +80,10 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, 
			  unsigned long len, unsigned long long highmem)

			  unsigned long len, unsigned long long highmem)

{

{

	unsigned long reserve = reserve_end - start;

	unsigned long reserve = reserve_end - start;

	long map_size = len - reserve;

	unsigned long map_size = len - reserve;

	int err;

	int err;





	if(map_size <= 0) {

	if (len <= reserve) {

		os_warn("Too few physical memory! Needed=%lu, given=%lu\n",

		os_warn("Too few physical memory! Needed=%lu, given=%lu\n",

			reserve, len);

			reserve, len);

		exit(1);

		exit(1);
@@ -94,7 +94,7 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, 
	err = os_map_memory((void *) reserve_end, physmem_fd, reserve,

	err = os_map_memory((void *) reserve_end, physmem_fd, reserve,

			    map_size, 1, 1, 1);

			    map_size, 1, 1, 1);

	if (err < 0) {

	if (err < 0) {

		os_warn("setup_physmem - mapping %ld bytes of memory at 0x%p "

		os_warn("setup_physmem - mapping %lu bytes of memory at 0x%p "

			"failed - errno = %d\n", map_size,

			"failed - errno = %d\n", map_size,

			(void *) reserve_end, err);

			(void *) reserve_end, err);

		exit(1);

		exit(1);