From: Jerome Marchand Date: Thu, 9 Sep 2010 23:37:59 +0000 (-0700) Subject: kernel/groups.c: fix integer overflow in groups_search X-Git-Tag: v2.6.35.5~42 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=9eca1e9defb46502949e35d1c81ad98d682da9e5;p=karo-tx-linux.git kernel/groups.c: fix integer overflow in groups_search commit 1c24de60e50fb19b94d94225458da17c720f0729 upstream. gid_t is a unsigned int. If group_info contains a gid greater than MAX_INT, groups_search() function may look on the wrong side of the search tree. This solves some unfair "permission denied" problems. Signed-off-by: Jerome Marchand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- diff --git a/kernel/groups.c b/kernel/groups.c index 53b1916c9492..253dc0f35cf4 100644 --- a/kernel/groups.c +++ b/kernel/groups.c @@ -143,10 +143,9 @@ int groups_search(const struct group_info *group_info, gid_t grp) right = group_info->ngroups; while (left < right) { unsigned int mid = (left+right)/2; - int cmp = grp - GROUP_AT(group_info, mid); - if (cmp > 0) + if (grp > GROUP_AT(group_info, mid)) left = mid + 1; - else if (cmp < 0) + else if (grp < GROUP_AT(group_info, mid)) right = mid; else return 1;