Unverified Commit fdcfce93 authored by Jann Horn's avatar Jann Horn Committed by Christian Brauner
Browse files

eventpoll: Fix integer overflow in ep_loop_check_proc() 



If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`,
an integer overflow will occur in the calling ep_loop_check_proc() at
`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
breaking the recursion depth check.

Fix it by using a different placeholder value that can't lead to an
overflow.

Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
Fixes: f2e467a4 ("eventpoll: Fix semi-unbounded recursion")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com


Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent f6a49548

fs/eventpoll.c

+3 −2
Original line number Diff line number Diff line
@@ -2061,7 +2061,8 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, 
 * @ep: the &struct eventpoll to be currently checked.

 * @depth: Current depth of the path being checked.

 *

 * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.

 * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found

 * a loop or went too deep.

 */

static int ep_loop_check_proc(struct eventpoll *ep, int depth)

{
@@ -2080,7 +2081,7 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth) 
			struct eventpoll *ep_tovisit;

			ep_tovisit = epi->ffd.file->private_data;

			if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)

				result = INT_MAX;

				result = EP_MAX_NESTS+1;

			else

				result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);

			if (result > EP_MAX_NESTS)