Message ID | 1551926175-24580-2-git-send-email-tyhicks@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2019-9213 - Incorrect memory protection check | expand |
On 3/7/19 3:36 AM, Tyler Hicks wrote: > From: Jann Horn <jannh@google.com> > > security_mmap_addr() does a capability check with current_cred(), but > we can reach this code from contexts like a VFS write handler where > current_cred() must not be used. > > This can be abused on systems without SMAP to make NULL pointer > dereferences exploitable again. > > Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses") > Cc: stable@kernel.org > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2019-9213 > > (cherry picked from commit 0a1d52994d440e21def1c2174932410b4f2a98a1) > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> As mentioned on previous messages, this patch doesn't apply cleanly to trusty, so it needs to be fixed and marked as "(backported from ...)". Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > mm/mmap.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index f189d4b08633..809a5869480f 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -2391,12 +2391,11 @@ int expand_downwards(struct vm_area_struct *vma, > { > struct mm_struct *mm = vma->vm_mm; > struct vm_area_struct *prev; > - int error; > + int error = 0; > > address &= PAGE_MASK; > - error = security_mmap_addr(address); > - if (error) > - return error; > + if (address < mmap_min_addr) > + return -EPERM; > > /* Enforce stack_guard_gap */ > prev = vma->vm_prev;
diff --git a/mm/mmap.c b/mm/mmap.c index f189d4b08633..809a5869480f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2391,12 +2391,11 @@ int expand_downwards(struct vm_area_struct *vma, { struct mm_struct *mm = vma->vm_mm; struct vm_area_struct *prev; - int error; + int error = 0; address &= PAGE_MASK; - error = security_mmap_addr(address); - if (error) - return error; + if (address < mmap_min_addr) + return -EPERM; /* Enforce stack_guard_gap */ prev = vma->vm_prev;