[PATCH 4.4 114/160] mm: refuse wrapped vm_brk requests

From: Greg Kroah-Hartman
Date: Mon Nov 19 2018 - 12:00:54 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

commit ba093a6d9397da8eafcfbaa7d95bd34255da39a0 upstream.

The vm_brk() alignment calculations should refuse to overflow. The ELF
loader depending on this, but it has been fixed now. No other unsafe
callers have been found.

Link: http://lkml.kernel.org/r/1468014494-25291-3-git-send-email-keescook@xxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reported-by: Hector Marco-Gisbert <hecmargi@xxxxxx>
Cc: Ismael Ripoll Ripoll <iripoll@xxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>
Cc: Oleg Nesterov <oleg@xxxxxxxxxx>
Cc: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
Cc: Michal Hocko <mhocko@xxxxxxxx>
Cc: Konstantin Khlebnikov <koct9i@xxxxxxxxx>
Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Cc: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
mm/mmap.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index 39f5fbd07486..dd9205542a86 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2808,16 +2808,18 @@ static inline void verify_mm_writelocked(struct mm_struct *mm)
* anonymous maps. eventually we may be able to do some
* brk-specific accounting here.
*/
-static unsigned long do_brk(unsigned long addr, unsigned long len)
+static unsigned long do_brk(unsigned long addr, unsigned long request)
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma, *prev;
- unsigned long flags;
+ unsigned long flags, len;
struct rb_node **rb_link, *rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;

- len = PAGE_ALIGN(len);
+ len = PAGE_ALIGN(request);
+ if (len < request)
+ return -ENOMEM;
if (!len)
return addr;

--
2.17.1

Next message: Greg Kroah-Hartman: "[PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 105/160] 9p: clear dangling pointers in p9stat_free"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.4 063/160] smb3: allow stats which track session and share reconnects to be reset"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]