Allow stack to grow up to address space limit

Fix expand_upwards() on architectures with an upward-growing stack (parisc,
metag and partly IA-64) to allow the stack to reliably grow exactly up to
the address space limit given by TASK_SIZE.

Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
CVE-2017-1000364

(cherry-picked from commit bd726c90b6b8ce87602208701b208a208e6d5600)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/mm/mmap.c b/mm/mmap.c
index ece0e5a2a25be37260b1c00974bcba32d2b91908..ef78a5ca5599bee6e62607e4e00a81705f0da388 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2226,16 +2226,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
        if (!(vma->vm_flags & VM_GROWSUP))
                return -EFAULT;
 
-       /* Guard against wrapping around to address 0. */
+       /* Guard against exceeding limits of the address space. */
        address &= PAGE_MASK;
-       address += PAGE_SIZE;
-       if (!address)
+       if (address >= TASK_SIZE)
                return -ENOMEM;
+       address += PAGE_SIZE;
 
        /* Enforce stack_guard_gap */
        gap_addr = address + stack_guard_gap;
-       if (gap_addr < address)
-               return -ENOMEM;
+
+       /* Guard against overflow */
+       if (gap_addr < address || gap_addr > TASK_SIZE)
+               gap_addr = TASK_SIZE;
+
        next = vma->vm_next;
        if (next && next->vm_start < gap_addr) {
                if (!(next->vm_flags & VM_GROWSUP))