From: Jiri Pirko <jpirko@redhat.com> Date: Mon, 23 Aug 2010 14:03:18 -0400 Subject: [mm] accept an abutting stack segment Message-id: <20100823140317.GA15848@psychotron.brq.redhat.com> Patchwork-id: 27774 O-Subject: [RHEL5.6 patch] CVE-2010-2240 BZ607858 mm: accept an abutting stack segment Bugzilla: 607858 CVE: CVE-2010-2240 RH-Acked-by: Rik van Riel <riel@redhat.com> RH-Acked-by: Larry Woodman <lwoodman@redhat.com> BZ607858 https://bugzilla.redhat.com/show_bug.cgi?id=607858 Description: Since we do not have vma->vm_prev in rhel5 using find_vma_prev instead. Also, accept an abutting stack segment, since that happens naturally if you split the stack with mlock or mprotect. Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0e8e50e20c837eeec8323bba7dcd25fe5479194c Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=2699433 Please review. Jirka Signed-off-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/mm/memory.c b/mm/memory.c index 997afd3..ef2f14f 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2363,11 +2363,20 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo { address &= PAGE_MASK; if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) { - address -= PAGE_SIZE; - if (find_vma(vma->vm_mm, address) != vma) - return -ENOMEM; + struct vm_area_struct *prev; + + find_vma_prev(vma->vm_mm, address, &prev); + + /* + * Is there a mapping abutting this one below? + * + * That's only ok if it's the same stack mapping + * that has gotten split.. + */ + if (prev && prev->vm_end == address) + return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM; - expand_stack(vma, address); + expand_stack(vma, address - PAGE_SIZE); } return 0; }