[pve-kernel.git] / CVE-2017-1000364-mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch

From aea792ba99ba73a6b0c4e5aea3b4b6b3f9d821f6 Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <oleg@redhat.com>
Date: Mon, 17 Jul 2017 14:53:29 +0200
Subject: [PATCH 2/2] mm/mmap.c: expand_downwards: don't require the gap if
 !vm_prev

expand_stack(vma) fails if address < stack_guard_gap even if there is no
vma->vm_prev.  I don't think this makes sense, and we didn't do this
before the recent commit 1be7107fbe18 ("mm: larger stack guard gap,
between vmas").

We do not need a gap in this case, any address is fine as long as
security_mmap_addr() doesn't object.

This also simplifies the code, we know that address >= prev->vm_end and
thus underflow is not possible.

Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

CVE-2017-1000364

(cherry picked from commit 32e4e6d5cbb0c0e427391635991fe65e17797af8)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 mm/mmap.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index 9fabd8c82f38..09c728a1eeee 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2312,7 +2312,6 @@ int expand_downwards(struct vm_area_struct *vma,
 {
 	struct mm_struct *mm = vma->vm_mm;
 	struct vm_area_struct *prev;
-	unsigned long gap_addr;
 	int error;
 
 	address &= PAGE_MASK;
@@ -2321,15 +2320,12 @@ int expand_downwards(struct vm_area_struct *vma,
 		return error;
 
 	/* Enforce stack_guard_gap */
-	gap_addr = address - stack_guard_gap;
-	if (gap_addr > address)
-		return -ENOMEM;
 	prev = vma->vm_prev;
-	if (prev && prev->vm_end > gap_addr &&
+	/* Check that both stack segments have the same anon_vma? */
+	if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
 			(prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
-		if (!(prev->vm_flags & VM_GROWSDOWN))
+		if (address - prev->vm_end < stack_guard_gap)
 			return -ENOMEM;
-		/* Check that both stack segments have the same anon_vma? */
 	}
 
 	/* We must make sure the anon_vma is allocated. */
-- 
2.11.0
Commit	Line	Data
4c390211 TL	1	From aea792ba99ba73a6b0c4e5aea3b4b6b3f9d821f6 Mon Sep 17 00:00:00 2001
	2	From: Oleg Nesterov <oleg@redhat.com>
	3	Date: Mon, 17 Jul 2017 14:53:29 +0200
	4	Subject: [PATCH 2/2] mm/mmap.c: expand_downwards: don't require the gap if
	5	!vm_prev
	6
	7	expand_stack(vma) fails if address < stack_guard_gap even if there is no
	8	vma->vm_prev. I don't think this makes sense, and we didn't do this
	9	before the recent commit 1be7107fbe18 ("mm: larger stack guard gap,
	10	between vmas").
	11
	12	We do not need a gap in this case, any address is fine as long as
	13	security_mmap_addr() doesn't object.
	14
	15	This also simplifies the code, we know that address >= prev->vm_end and
	16	thus underflow is not possible.
	17
	18	Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com
	19	Signed-off-by: Oleg Nesterov <oleg@redhat.com>
	20	Acked-by: Michal Hocko <mhocko@suse.com>
	21	Cc: Hugh Dickins <hughd@google.com>
	22	Cc: Larry Woodman <lwoodman@redhat.com>
	23	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	24	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	25
	26	CVE-2017-1000364
	27
	28	(cherry picked from commit 32e4e6d5cbb0c0e427391635991fe65e17797af8)
	29	Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
	30	Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	31	Acked-by: Kamal Mostafa <kamal@canonical.com>
	32	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	33	Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
	34	---
	35	mm/mmap.c \| 10 +++-------
	36	1 file changed, 3 insertions(+), 7 deletions(-)
	37
	38	diff --git a/mm/mmap.c b/mm/mmap.c
	39	index 9fabd8c82f38..09c728a1eeee 100644
	40	--- a/mm/mmap.c
	41	+++ b/mm/mmap.c
	42	@@ -2312,7 +2312,6 @@ int expand_downwards(struct vm_area_struct *vma,
	43	{
	44	struct mm_struct *mm = vma->vm_mm;
	45	struct vm_area_struct *prev;
	46	- unsigned long gap_addr;
	47	int error;
	48
	49	address &= PAGE_MASK;
	50	@@ -2321,15 +2320,12 @@ int expand_downwards(struct vm_area_struct *vma,
	51	return error;
	52
	53	/* Enforce stack_guard_gap */
	54	- gap_addr = address - stack_guard_gap;
	55	- if (gap_addr > address)
	56	- return -ENOMEM;
	57	prev = vma->vm_prev;
	58	- if (prev && prev->vm_end > gap_addr &&
	59	+ /* Check that both stack segments have the same anon_vma? */
	60	+ if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
	61	(prev->vm_flags & (VM_WRITE\|VM_READ\|VM_EXEC))) {
	62	- if (!(prev->vm_flags & VM_GROWSDOWN))
	63	+ if (address - prev->vm_end < stack_guard_gap)
	64	return -ENOMEM;
65	- /* Check that both stack segments have the same anon_vma? */
66	}
67
68	/* We must make sure the anon_vma is allocated. */
69	--
70	2.11.0
71