From: "Jin, Gordon" <gordon.jin@intel.com>

This patch fixes 2 cornercases of overflow caused by argument len in
sys_mincore():

Case 1: len is so large that will overflow to 0 after page alignment.
E.g. len=(size_t)(-1), i.e. 0xff...ff.
Expected result: it's overflow and return ENOMEM.
Current result: len is aligned to 0, then treated the same as len=0 and
return succeed.
This cornercase has been fixed in do_mmap_pgoff(), and here
sys_mincore() also needs this fix.

Case 2: len is a large number but will not overflow after alignment. But
start+len will overflow.
E.g. len=(size_t)(-PAGE_SIZE), and start>0.
Expected result: it's overflow and return ENOMEM.
Current result: return EINVAL. Looks like considering len as a
non-positive value, probably influenced by manpage. But since the type
of len is size_t, i.e. unsigned, it shouldn't be considered as
non-positive value.
I've also reported this inconsistency to manpage mincore.

Signed-off-by: Gordon Jin <gordon.jin@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/mm/mincore.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff -puN mm/mincore.c~fix-mincore-cornercases-overflow-caused-by-large-len mm/mincore.c
--- 25/mm/mincore.c~fix-mincore-cornercases-overflow-caused-by-large-len	Thu Feb 17 16:59:01 2005
+++ 25-akpm/mm/mincore.c	Thu Feb 17 16:59:01 2005
@@ -97,8 +97,7 @@ static long mincore_vma(struct vm_area_s
  * return values:
  *  zero    - success
  *  -EFAULT - vec points to an illegal address
- *  -EINVAL - addr is not a multiple of PAGE_CACHE_SIZE,
- *		or len has a nonpositive value
+ *  -EINVAL - addr is not a multiple of PAGE_CACHE_SIZE
  *  -ENOMEM - Addresses in the range [addr, addr + len] are
  *		invalid for the address space of this process, or
  *		specify one or more pages which are not currently
@@ -126,10 +125,13 @@ asmlinkage long sys_mincore(unsigned lon
 	if (start >= limit)
 		goto enomem;
 
+	if (!len)
+		return 0;
+
 	max = limit - start;
 	len = PAGE_CACHE_ALIGN(len);
-	if (len > max)
-		goto einval;
+	if (len > max || !len)
+		goto enomem;
 
 	end = start + len;
 
_