tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

eventpoll: Fix integer overflow in ep_loop_check_proc()

If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`,
an integer overflow will occur in the calling ep_loop_check_proc() at
`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
breaking the recursion depth check.

Fix it by using a different placeholder value that can't lead to an
overflow.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

Jann Horn and committed by
Christian Brauner fdcfce93 f6a49548

+3 -2
+3 -2
fs/eventpoll.c
··· 2061 2061 * @ep: the &struct eventpoll to be currently checked. 2062 2062 * @depth: Current depth of the path being checked. 2063 2063 * 2064 - * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep. 2064 + * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found 2065 + * a loop or went too deep. 2065 2066 */ 2066 2067 static int ep_loop_check_proc(struct eventpoll *ep, int depth) 2067 2068 { ··· 2081 2080 struct eventpoll *ep_tovisit; 2082 2081 ep_tovisit = epi->ffd.file->private_data; 2083 2082 if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS) 2084 - result = INT_MAX; 2083 + result = EP_MAX_NESTS+1; 2085 2084 else 2086 2085 result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1); 2087 2086 if (result > EP_MAX_NESTS)