Re: Bug in VM accounting code, probably exploitable

[Hugh Dickins]

On Tue, 11 May 2004, Stas Sergeev wrote:
> mprotect() fails to merge VMAs because one VMA can end up with
> VM_ACCOUNT flag set, and another without that flag. That makes
> several apps of mine to malfuncate.
> And the fix looks also very strange, but it seems to work.

Great find!  Someone has got their test the wrong way round.
Your patch is good, but since that VM_MAYACCT macro is being
used in one place only, and just hiding what it's actually about,
I'd prefer the patch below.  Against 2.6.6: Andrew, please apply.

--- 2.6.6/include/linux/mm.h	2004-05-10 03:33:36.000000000 +0100
+++ linux/include/linux/mm.h	2004-05-11 21:26:12.296881936 +0100
@@ -112,9 +112,6 @@ struct vm_area_struct {
 #define VM_HUGETLB	0x00400000	/* Huge TLB Page VM */
 #define VM_NONLINEAR	0x00800000	/* Is non-linear (remap_file_pages) */
 
-/* It makes sense to apply VM_ACCOUNT to this vma. */
-#define VM_MAYACCT(vma) (!!((vma)->vm_flags & VM_HUGETLB))
-
 #ifndef VM_STACK_DEFAULT_FLAGS		/* arch can override this */
 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
 #endif
--- 2.6.6/mm/mprotect.c	2004-05-10 03:33:48.000000000 +0100
+++ linux/mm/mprotect.c	2004-05-11 21:27:17.079033552 +0100
@@ -174,8 +174,7 @@ mprotect_fixup(struct vm_area_struct *vm
 	 * a MAP_NORESERVE private mapping to writable will now reserve.
 	 */
 	if (newflags & VM_WRITE) {
-		if (!(vma->vm_flags & (VM_ACCOUNT|VM_WRITE|VM_SHARED))
-				&& VM_MAYACCT(vma)) {
+		if (!(vma->vm_flags & (VM_ACCOUNT|VM_WRITE|VM_SHARED|VM_HUGETLB))) {
 			charged = (end - start) >> PAGE_SHIFT;
 			if (security_vm_enough_memory(charged))
 				return -ENOMEM;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/