vm: fix vm_pgoff wrap in upward expansion, CVE-2011-2496
 

BugLink: http://bugs.launchpad.net/bugs/869243
CVE-2011-2496

Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
the case of an expanding mapping causing vm_pgoff wrapping when you had
downward stack expansion. But there was another case where IA64 and
PA-RISC expand mappings: upward expansion.

This fixes that case too.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Backported from 42c36f63ac1366ab0ecc2d5717821362c259f517
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
mm/mmap.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index dcd3dcc..6ea8c93 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1600,9 +1600,13 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
size = address - vma->vm_start;
grow = (address - vma->vm_end) >> PAGE_SHIFT;

- error = acct_stack_growth(vma, size, grow);
- if (!error)
- vma->vm_end = address;
+ error = -ENOMEM;
+ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
+ error = acct_stack_growth(vma, size, grow);
+ if (!error) {
+ vma->vm_end = address;
+ }
+ }
}
anon_vma_unlock(vma);
return error;
--
1.7.1


--------------070807070704070205020206
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

--------------070807070704070205020206--