From: Danny Feng <dfeng@redhat.com> Date: Fri, 29 Jan 2010 09:25:40 -0500 Subject: [mm] fix checks for expand-in-place mremap Message-id: <20100129092552.4587.87072.sendpatchset@dhcp-65-180.nay.redhat.com> Patchwork-id: 22989 O-Subject: [PATCH RHEL5.5 4/12 BZ556710 CVE-2010-0291] fix checks for expand-in-place mremap Bugzilla: 556710 RH-Acked-by: Jarod Wilson <jarod@redhat.com> RH-Acked-by: Larry Woodman <lwoodman@redhat.com> backport of upstream commit f106af4e90eadd76cfc0b5325f659619e08fb762 Subject: [PATCH] fix checks for expand-in-place mremap Acked-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> diff --git a/mm/mremap.c b/mm/mremap.c index cdae1cf..730acee 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -24,6 +24,10 @@ #include <asm/cacheflush.h> #include <asm/tlbflush.h> +#ifndef arch_mmap_check +#define arch_mmap_check(addr, len, flags) (0) +#endif + static pmd_t *get_old_pmd(struct mm_struct *mm, unsigned long addr) { pgd_t *pgd; @@ -351,12 +355,17 @@ out: static int vma_expandable(struct vm_area_struct *vma, unsigned long delta) { + unsigned long end = vma->vm_end + delta; unsigned long max_addr = TASK_SIZE; if (vma->vm_next) max_addr = vma->vm_next->vm_start; - if (max_addr - vma->vm_end < delta) + if (max_addr < end || end < vma->vm_end) + return 0; + if (arch_mmap_check(vma->vm_start, end - vma->vm_start, MAP_FIXED)) + return 0; + if (get_unmapped_area(NULL, vma->vm_start, end - vma->vm_start, + 0, MAP_FIXED) & ~PAGE_MASK) return 0; - /* we need to do arch-specific checks here */ return 1; }