Commit 1c24de60 authored by Jerome Marchand's avatar Jerome Marchand Committed by Linus Torvalds

kernel/groups.c: fix integer overflow in groups_search

gid_t is a unsigned int.  If group_info contains a gid greater than
MAX_INT, groups_search() function may look on the wrong side of the search
tree.

This solves some unfair "permission denied" problems.
Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 94131e17
......@@ -143,10 +143,9 @@ int groups_search(const struct group_info *group_info, gid_t grp)
right = group_info->ngroups;
while (left < right) {
unsigned int mid = (left+right)/2;
int cmp = grp - GROUP_AT(group_info, mid);
if (cmp > 0)
if (grp > GROUP_AT(group_info, mid))
left = mid + 1;
else if (cmp < 0)
else if (grp < GROUP_AT(group_info, mid))
right = mid;
else
return 1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment