From patchwork Wed Oct 12 10:03:16 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [2/2] vm: fix vm_pgoff wrap in upward expansion - CVE-2011-2496 Date: Wed, 12 Oct 2011 00:03:16 -0000 From: Paolo Pisati X-Patchwork-Id: 119177 Message-Id: <1318413796-4617-1-git-send-email-paolo.pisati@canonical.com> To: kernel-team@lists.ubuntu.com From: Hugh Dickins Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed the case of an expanding mapping causing vm_pgoff wrapping when you had downward stack expansion. But there was another case where IA64 and PA-RISC expand mappings: upward expansion. This fixes that case too. Signed-off-by: Hugh Dickins Cc: stable@kernel.org Signed-off-by: Linus Torvalds CVE-2011-2496 BugLink: http://bugs.launchpad.net/bugs/869243 commit upstream 42c36f63ac1366ab0ecc2d5717821362c259f517 Signed-off-by: Paolo Pisati --- mm/mmap.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 6aa3f80..a8bde69 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1737,9 +1737,12 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) size = address - vma->vm_start; grow = (address - vma->vm_end) >> PAGE_SHIFT; - error = acct_stack_growth(vma, size, grow); - if (!error) - vma->vm_end = address; + error = -ENOMEM; + if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { + error = acct_stack_growth(vma, size, grow); + if (!error) + vma->vm_end = address; + } } anon_vma_unlock(vma); return error;