]>
Commit | Line | Data |
---|---|---|
4c390211 TL |
1 | From aea792ba99ba73a6b0c4e5aea3b4b6b3f9d821f6 Mon Sep 17 00:00:00 2001 |
2 | From: Oleg Nesterov <oleg@redhat.com> | |
3 | Date: Mon, 17 Jul 2017 14:53:29 +0200 | |
4 | Subject: [PATCH 2/2] mm/mmap.c: expand_downwards: don't require the gap if | |
5 | !vm_prev | |
6 | ||
7 | expand_stack(vma) fails if address < stack_guard_gap even if there is no | |
8 | vma->vm_prev. I don't think this makes sense, and we didn't do this | |
9 | before the recent commit 1be7107fbe18 ("mm: larger stack guard gap, | |
10 | between vmas"). | |
11 | ||
12 | We do not need a gap in this case, any address is fine as long as | |
13 | security_mmap_addr() doesn't object. | |
14 | ||
15 | This also simplifies the code, we know that address >= prev->vm_end and | |
16 | thus underflow is not possible. | |
17 | ||
18 | Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com | |
19 | Signed-off-by: Oleg Nesterov <oleg@redhat.com> | |
20 | Acked-by: Michal Hocko <mhocko@suse.com> | |
21 | Cc: Hugh Dickins <hughd@google.com> | |
22 | Cc: Larry Woodman <lwoodman@redhat.com> | |
23 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
24 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
25 | ||
26 | CVE-2017-1000364 | |
27 | ||
28 | (cherry picked from commit 32e4e6d5cbb0c0e427391635991fe65e17797af8) | |
29 | Signed-off-by: Stefan Bader <stefan.bader@canonical.com> | |
30 | Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
31 | Acked-by: Kamal Mostafa <kamal@canonical.com> | |
32 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
33 | Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> | |
34 | --- | |
35 | mm/mmap.c | 10 +++------- | |
36 | 1 file changed, 3 insertions(+), 7 deletions(-) | |
37 | ||
38 | diff --git a/mm/mmap.c b/mm/mmap.c | |
39 | index 9fabd8c82f38..09c728a1eeee 100644 | |
40 | --- a/mm/mmap.c | |
41 | +++ b/mm/mmap.c | |
42 | @@ -2312,7 +2312,6 @@ int expand_downwards(struct vm_area_struct *vma, | |
43 | { | |
44 | struct mm_struct *mm = vma->vm_mm; | |
45 | struct vm_area_struct *prev; | |
46 | - unsigned long gap_addr; | |
47 | int error; | |
48 | ||
49 | address &= PAGE_MASK; | |
50 | @@ -2321,15 +2320,12 @@ int expand_downwards(struct vm_area_struct *vma, | |
51 | return error; | |
52 | ||
53 | /* Enforce stack_guard_gap */ | |
54 | - gap_addr = address - stack_guard_gap; | |
55 | - if (gap_addr > address) | |
56 | - return -ENOMEM; | |
57 | prev = vma->vm_prev; | |
58 | - if (prev && prev->vm_end > gap_addr && | |
59 | + /* Check that both stack segments have the same anon_vma? */ | |
60 | + if (prev && !(prev->vm_flags & VM_GROWSDOWN) && | |
61 | (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { | |
62 | - if (!(prev->vm_flags & VM_GROWSDOWN)) | |
63 | + if (address - prev->vm_end < stack_guard_gap) | |
64 | return -ENOMEM; | |
65 | - /* Check that both stack segments have the same anon_vma? */ | |
66 | } | |
67 | ||
68 | /* We must make sure the anon_vma is allocated. */ | |
69 | -- | |
70 | 2.11.0 | |
71 |