From 1fca16492a85f69fbdd498fdd66156f7de44262d Mon Sep 17 00:00:00 2001
From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Date: Tue, 18 Apr 2006 03:04:00 +0000
Subject: [PATCH] IPC: access to unmapped vmalloc area in grow_ary()

grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
when near page boundary.

Found during OpenVZ stress testing

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 ipc/util.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'ipc/util.c')

diff --git a/ipc/util.c b/ipc/util.c
index 862621980b0..303b05844f5 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -182,8 +182,7 @@ static int grow_ary(struct ipc_ids* ids, int newsize)
 	if(new == NULL)
 		return size;
 	new->size = newsize;
-	memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size +
-					sizeof(struct ipc_id_ary));
+	memcpy(new->p, ids->entries->p, sizeof(struct kern_ipc_perm *)*size);
 	for(i=size;i<newsize;i++) {
 		new->p[i] = NULL;
 	}
-- 
cgit v1.2.3-18-g5258