CVE-2017-1000364-mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch

   1 From aea792ba99ba73a6b0c4e5aea3b4b6b3f9d821f6 Mon Sep 17 00:00:00 2001
   2 From: Oleg Nesterov <oleg@redhat.com>
   3 Date: Mon, 17 Jul 2017 14:53:29 +0200
   4 Subject: [PATCH 2/2] mm/mmap.c: expand_downwards: don't require the gap if
   5  !vm_prev
   6
   7 expand_stack(vma) fails if address < stack_guard_gap even if there is no
   8 vma->vm_prev.  I don't think this makes sense, and we didn't do this
   9 before the recent commit 1be7107fbe18 ("mm: larger stack guard gap,
  10 between vmas").
  11
  12 We do not need a gap in this case, any address is fine as long as
  13 security_mmap_addr() doesn't object.
  14
  15 This also simplifies the code, we know that address >= prev->vm_end and
  16 thus underflow is not possible.
  17
  18 Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com
  19 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
  20 Acked-by: Michal Hocko <mhocko@suse.com>
  21 Cc: Hugh Dickins <hughd@google.com>
  22 Cc: Larry Woodman <lwoodman@redhat.com>
  23 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
  24 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  25
  26 CVE-2017-1000364
  27
  28 (cherry picked from commit 32e4e6d5cbb0c0e427391635991fe65e17797af8)
  29 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  30 Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  31 Acked-by: Kamal Mostafa <kamal@canonical.com>
  32 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  33 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  34 ---
  35  mm/mmap.c | 10 +++-------
  36  1 file changed, 3 insertions(+), 7 deletions(-)
  37
  38 diff --git a/mm/mmap.c b/mm/mmap.c
  39 index 9fabd8c82f38..09c728a1eeee 100644
  40 --- a/mm/mmap.c
  41 +++ b/mm/mmap.c
  42 @@ -2312,7 +2312,6 @@ int expand_downwards(struct vm_area_struct *vma,
  43  {
  44         struct mm_struct *mm = vma->vm_mm;
  45         struct vm_area_struct *prev;
  46 -       unsigned long gap_addr;
  47         int error;
  48
  49         address &= PAGE_MASK;
  50 @@ -2321,15 +2320,12 @@ int expand_downwards(struct vm_area_struct *vma,
  51                 return error;
  52
  53         /* Enforce stack_guard_gap */
  54 -       gap_addr = address - stack_guard_gap;
  55 -       if (gap_addr > address)
  56 -               return -ENOMEM;
  57         prev = vma->vm_prev;
  58 -       if (prev && prev->vm_end > gap_addr &&
  59 +       /* Check that both stack segments have the same anon_vma? */
  60 +       if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
  61                         (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
  62 -               if (!(prev->vm_flags & VM_GROWSDOWN))
  63 +               if (address - prev->vm_end < stack_guard_gap)
  64                         return -ENOMEM;
  65 -               /* Check that both stack segments have the same anon_vma? */
  66         }
  67
  68         /* We must make sure the anon_vma is allocated. */
  69 --
  70 2.11.0
  71