c/pve-kernel-qoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9f7f3b58a9
pve-kernel-qoup/CVE-2017-1000364-mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch
Thomas Lamprecht 4c390211d8 add CVE fixes 
CVE-2017-1000364 (rather bugfix for the original CVE fix):
 * mm/mmap.c: expand_downwards: don't require the gap if !vm_prev
 * mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack

CVE-2017-1000365: fs/exec.c: account for argv/envp pointers

CVE-2017-10810: drm/virtio: don't leak bo on drm_gem_object_init
 failure

CVE-2017-7482: rxrpc: Fix several cases where a padded len isn't
 checked in ticket decode

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2017-07-19 09:46:19 +02:00

72 lines
2.4 KiB
Diff
Raw Blame History

From aea792ba99ba73a6b0c4e5aea3b4b6b3f9d821f6 Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <oleg@redhat.com>
Date: Mon, 17 Jul 2017 14:53:29 +0200
Subject: [PATCH 2/2] mm/mmap.c: expand_downwards: don't require the gap if
!vm_prev
expand_stack(vma) fails if address < stack_guard_gap even if there is no
vma->vm_prev. I don't think this makes sense, and we didn't do this
before the recent commit 1be7107fbe18 ("mm: larger stack guard gap,
between vmas").
We do not need a gap in this case, any address is fine as long as
security_mmap_addr() doesn't object.
This also simplifies the code, we know that address >= prev->vm_end and
thus underflow is not possible.
Link: http://lkml.kernel.org/r/20170628175258.GA24881@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
CVE-2017-1000364
(cherry picked from commit 32e4e6d5cbb0c0e427391635991fe65e17797af8)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
mm/mmap.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index 9fabd8c82f38..09c728a1eeee 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2312,7 +2312,6 @@ int expand_downwards(struct vm_area_struct *vma,
{
struct mm_struct *mm = vma->vm_mm;
struct vm_area_struct *prev;
- unsigned long gap_addr;
int error;
address &= PAGE_MASK;
@@ -2321,15 +2320,12 @@ int expand_downwards(struct vm_area_struct *vma,
return error;
/* Enforce stack_guard_gap */
- gap_addr = address - stack_guard_gap;
- if (gap_addr > address)
- return -ENOMEM;
prev = vma->vm_prev;
- if (prev && prev->vm_end > gap_addr &&
+ /* Check that both stack segments have the same anon_vma? */
+ if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
(prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
- if (!(prev->vm_flags & VM_GROWSDOWN))
+ if (address - prev->vm_end < stack_guard_gap)
return -ENOMEM;
- /* Check that both stack segments have the same anon_vma? */
}
/* We must make sure the anon_vma is allocated. */
--
2.11.0
Reference in New Issue View Git Blame Copy Permalink