From: Danny Feng <dfeng@redhat.com>
Date: Fri, 29 Jan 2010 09:25:40 -0500
Subject: [mm] fix checks for expand-in-place mremap
Message-id: <20100129092552.4587.87072.sendpatchset@dhcp-65-180.nay.redhat.com>
Patchwork-id: 22989
O-Subject: [PATCH RHEL5.5 4/12 BZ556710 CVE-2010-0291] fix checks for
expand-in-place mremap
Bugzilla: 556710
RH-Acked-by: Jarod Wilson <jarod@redhat.com>
RH-Acked-by: Larry Woodman <lwoodman@redhat.com>
backport of upstream commit f106af4e90eadd76cfc0b5325f659619e08fb762
Subject: [PATCH] fix checks for expand-in-place mremap
Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/mm/mremap.c b/mm/mremap.c
index cdae1cf..730acee 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -24,6 +24,10 @@
#include <asm/cacheflush.h>
#include <asm/tlbflush.h>
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags) (0)
+#endif
+
static pmd_t *get_old_pmd(struct mm_struct *mm, unsigned long addr)
{
pgd_t *pgd;
@@ -351,12 +355,17 @@ out:
static int vma_expandable(struct vm_area_struct *vma, unsigned long delta)
{
+ unsigned long end = vma->vm_end + delta;
unsigned long max_addr = TASK_SIZE;
if (vma->vm_next)
max_addr = vma->vm_next->vm_start;
- if (max_addr - vma->vm_end < delta)
+ if (max_addr < end || end < vma->vm_end)
+ return 0;
+ if (arch_mmap_check(vma->vm_start, end - vma->vm_start, MAP_FIXED))
+ return 0;
+ if (get_unmapped_area(NULL, vma->vm_start, end - vma->vm_start,
+ 0, MAP_FIXED) & ~PAGE_MASK)
return 0;
- /* we need to do arch-specific checks here */
return 1;
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
2192
