From patchwork Tue Oct 11 15:39:21 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [3/3] vm: fix vm_pgoff wrap in upward expansion - CVE-2011-2496
From: Paolo Pisati <paolo.pisati@canonical.com>
X-Patchwork-Id: 119000
Message-Id: <1318347561-1410-4-git-send-email-paolo.pisati@canonical.com>
To: kernel-team@lists.ubuntu.com
Date: Tue, 11 Oct 2011 17:39:21 +0200

Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
the case of an expanding mapping causing vm_pgoff wrapping when you had
downward stack expansion.  But there was another case where IA64 and
PA-RISC expand mappings: upward expansion.

This fixes that case too.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

CVE-2011-2496

BugLink: http://bugs.launchpad.net/bugs/869243

commit upstream a626ca6a656450e9f4df91d0dda238fff23285f4

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

---
mm/mmap.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index 1508d86..027108e 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1735,9 +1735,12 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
 		size = address - vma->vm_start;
 		grow = (address - vma->vm_end) >> PAGE_SHIFT;
 
-		error = acct_stack_growth(vma, size, grow);
-		if (!error)
-			vma->vm_end = address;
+		error = -ENOMEM;
+		if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
+			error = acct_stack_growth(vma, size, grow);
+			if (!error)
+				vma->vm_end = address;
+		}
 	}
 	anon_vma_unlock(vma);
 	return error;