From patchwork Tue Oct 11 15:39:21 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Pisati X-Patchwork-Id: 119000 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 3C265B6F77 for ; Wed, 12 Oct 2011 02:39:41 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RDeQU-0002Nx-C5; Tue, 11 Oct 2011 15:39:30 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RDeQP-0002M8-NV for kernel-team@lists.ubuntu.com; Tue, 11 Oct 2011 15:39:25 +0000 Received: from dynamic-adsl-94-36-103-26.clienti.tiscali.it ([94.36.103.26] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1RDeQP-00008K-IB for kernel-team@lists.ubuntu.com; Tue, 11 Oct 2011 15:39:25 +0000 From: Paolo Pisati To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/3] vm: fix vm_pgoff wrap in upward expansion - CVE-2011-2496 Date: Tue, 11 Oct 2011 17:39:21 +0200 Message-Id: <1318347561-1410-4-git-send-email-paolo.pisati@canonical.com> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1318347561-1410-1-git-send-email-paolo.pisati@canonical.com> References: <1318347561-1410-1-git-send-email-paolo.pisati@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed the case of an expanding mapping causing vm_pgoff wrapping when you had downward stack expansion. But there was another case where IA64 and PA-RISC expand mappings: upward expansion. This fixes that case too. Signed-off-by: Hugh Dickins Cc: stable@kernel.org Signed-off-by: Linus Torvalds CVE-2011-2496 BugLink: http://bugs.launchpad.net/bugs/869243 commit upstream a626ca6a656450e9f4df91d0dda238fff23285f4 Signed-off-by: Paolo Pisati --- mm/mmap.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 1508d86..027108e 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1735,9 +1735,12 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) size = address - vma->vm_start; grow = (address - vma->vm_end) >> PAGE_SHIFT; - error = acct_stack_growth(vma, size, grow); - if (!error) - vma->vm_end = address; + error = -ENOMEM; + if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { + error = acct_stack_growth(vma, size, grow); + if (!error) + vma->vm_end = address; + } } anon_vma_unlock(vma); return error;