Oleg has noticed that khugepaged will happilly collapse stack vma (as
long as it is not an early stack - see is_vma_temporary_stack) and
it might effectively remove the stack gap area as well because a larger
part of the stack vma is usually populated. The same applies to the
page fault handler.
Fix this by checking stack_guard_area when revalidating a VMA
in hugepage_vma_revalidate. We do not want to hook/replace
is_vma_temporary_stack() check because THP might be still useful for
stack, all we need is excluding the gap from collapsing into a THP.
Also check the to-be-created THP in do_huge_pmd_anonymous_page to
make sure it is completely outside of the gap area because we we could
create THP covering the gap area.
CVE-2017-
1000364
Noticed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
if (haddr < vma->vm_start || haddr + HPAGE_PMD_SIZE > vma->vm_end)
return VM_FAULT_FALLBACK;
+ if (stack_guard_area(vma, haddr) ||
+ stack_guard_area(vma, haddr + HPAGE_PMD_SIZE))
+ return VM_FAULT_FALLBACK;
if (unlikely(anon_vma_prepare(vma)))
return VM_FAULT_OOM;
if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
return SCAN_ADDRESS_RANGE;
if (!hugepage_vma_check(vma))
return SCAN_VMA_CHECK;
+
+ /* never try to collapse stack gap */
+ if (stack_guard_area(vma, hstart) || stack_guard_area(vma, hend))
+ return SCAN_ADDRESS_RANGE;
return 0;
}