Re: [PATCH 1/3] mmap: protect from stack expantion into low vm addresses
On Mon, 26 Nov 2007, Eric Paris wrote: > Add security checks to make sure we are not attempting to expand the > stack into memory protected by mmap_min_addr > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> Please include the LSMs list in the CC line (added again) for posts relating to security. Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm > --- > > ** Be very careful applying/rediffing this patch. Standard 3 lines of > context from git diff will misapply the first hunk to expand_upwards > instead of properly in expand_downwards. This patch was generated using > -U 4 to make sure it applies in the correct place. ** Seems to have applied correctly for me. > > mm/mmap.c |8 ++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > --- kernel-1/mm/mmap.c > +++ kernel-2/mm/mmap.c > @@ -1614,17 +1614,21 @@ static inline int expand_downwards(struc >* so that the anon_vma locking is not a noop. >*/ > if (unlikely(anon_vma_prepare(vma))) > return -ENOMEM; > + > + address &= PAGE_MASK; > + error = security_file_mmap(0, 0, 0, 0, address, 1); > + if (error) > + return error; > + > anon_vma_lock(vma); > > /* >* vma->vm_start/vm_end cannot change under us because the caller >* is required to hold the mmap_sem in read mode. We need the >* anon_vma lock to serialize against concurrent expand_stacks. >*/ > - address &= PAGE_MASK; > - error = 0; > > /* Somebody else might have raced and expanded it already */ > if (address < vma->vm_start) { > unsigned long size, grow; > > -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/3] mmap: protect from stack expantion into low vm addresses
Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris <[EMAIL PROTECTED]> --- ** Be very careful applying/rediffing this patch. Standard 3 lines of context from git diff will misapply the first hunk to expand_upwards instead of properly in expand_downwards. This patch was generated using -U 4 to make sure it applies in the correct place. ** mm/mmap.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- kernel-1/mm/mmap.c +++ kernel-2/mm/mmap.c @@ -1614,17 +1614,21 @@ static inline int expand_downwards(struc * so that the anon_vma locking is not a noop. */ if (unlikely(anon_vma_prepare(vma))) return -ENOMEM; + + address &= PAGE_MASK; + error = security_file_mmap(0, 0, 0, 0, address, 1); + if (error) + return error; + anon_vma_lock(vma); /* * vma->vm_start/vm_end cannot change under us because the caller * is required to hold the mmap_sem in read mode. We need the * anon_vma lock to serialize against concurrent expand_stacks. */ - address &= PAGE_MASK; - error = 0; /* Somebody else might have raced and expanded it already */ if (address < vma->vm_start) { unsigned long size, grow; - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/3] mmap: protect from stack expantion into low vm addresses
Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris [EMAIL PROTECTED] --- ** Be very careful applying/rediffing this patch. Standard 3 lines of context from git diff will misapply the first hunk to expand_upwards instead of properly in expand_downwards. This patch was generated using -U 4 to make sure it applies in the correct place. ** mm/mmap.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- kernel-1/mm/mmap.c +++ kernel-2/mm/mmap.c @@ -1614,17 +1614,21 @@ static inline int expand_downwards(struc * so that the anon_vma locking is not a noop. */ if (unlikely(anon_vma_prepare(vma))) return -ENOMEM; + + address = PAGE_MASK; + error = security_file_mmap(0, 0, 0, 0, address, 1); + if (error) + return error; + anon_vma_lock(vma); /* * vma-vm_start/vm_end cannot change under us because the caller * is required to hold the mmap_sem in read mode. We need the * anon_vma lock to serialize against concurrent expand_stacks. */ - address = PAGE_MASK; - error = 0; /* Somebody else might have raced and expanded it already */ if (address vma-vm_start) { unsigned long size, grow; - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/3] mmap: protect from stack expantion into low vm addresses
On Mon, 26 Nov 2007, Eric Paris wrote: Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris [EMAIL PROTECTED] Please include the LSMs list in the CC line (added again) for posts relating to security. Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm --- ** Be very careful applying/rediffing this patch. Standard 3 lines of context from git diff will misapply the first hunk to expand_upwards instead of properly in expand_downwards. This patch was generated using -U 4 to make sure it applies in the correct place. ** Seems to have applied correctly for me. mm/mmap.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- kernel-1/mm/mmap.c +++ kernel-2/mm/mmap.c @@ -1614,17 +1614,21 @@ static inline int expand_downwards(struc * so that the anon_vma locking is not a noop. */ if (unlikely(anon_vma_prepare(vma))) return -ENOMEM; + + address = PAGE_MASK; + error = security_file_mmap(0, 0, 0, 0, address, 1); + if (error) + return error; + anon_vma_lock(vma); /* * vma-vm_start/vm_end cannot change under us because the caller * is required to hold the mmap_sem in read mode. We need the * anon_vma lock to serialize against concurrent expand_stacks. */ - address = PAGE_MASK; - error = 0; /* Somebody else might have raced and expanded it already */ if (address vma-vm_start) { unsigned long size, grow; -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/3] mmap: protect from stack expantion into low vm addresses
When adding the new security hooks into mmap to enhance protection against NULL pointers in the kernel I overlooked that a user may be able to expand the stack all the way down to low addresses. This flaw was pointed out by a PaX/grsecurity developer and this patch should provide protection against this missed code path. Signed-off-by: Eric Paris <[EMAIL PROTECTED]> --- ** Be very careful applying/rediffing this patch. Standard 3 lines of context from git diff will misapply the first hunk to expand_upwards instead of properly in expand_downwards. This patch was generated using -U 4 to make sure it applies in the correct place. ** mm/mmap.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- kernel-1/mm/mmap.c +++ kernel-2/mm/mmap.c @@ -1614,17 +1614,21 @@ static inline int expand_downwards(struc * so that the anon_vma locking is not a noop. */ if (unlikely(anon_vma_prepare(vma))) return -ENOMEM; + + address &= PAGE_MASK; + error = security_file_mmap(0, 0, 0, 0, address, 1); + if (error) + return error; + anon_vma_lock(vma); /* * vma->vm_start/vm_end cannot change under us because the caller * is required to hold the mmap_sem in read mode. We need the * anon_vma lock to serialize against concurrent expand_stacks. */ - address &= PAGE_MASK; - error = 0; /* Somebody else might have raced and expanded it already */ if (address < vma->vm_start) { unsigned long size, grow; - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/3] mmap: protect from stack expantion into low vm addresses
When adding the new security hooks into mmap to enhance protection against NULL pointers in the kernel I overlooked that a user may be able to expand the stack all the way down to low addresses. This flaw was pointed out by a PaX/grsecurity developer and this patch should provide protection against this missed code path. Signed-off-by: Eric Paris [EMAIL PROTECTED] --- ** Be very careful applying/rediffing this patch. Standard 3 lines of context from git diff will misapply the first hunk to expand_upwards instead of properly in expand_downwards. This patch was generated using -U 4 to make sure it applies in the correct place. ** mm/mmap.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- kernel-1/mm/mmap.c +++ kernel-2/mm/mmap.c @@ -1614,17 +1614,21 @@ static inline int expand_downwards(struc * so that the anon_vma locking is not a noop. */ if (unlikely(anon_vma_prepare(vma))) return -ENOMEM; + + address = PAGE_MASK; + error = security_file_mmap(0, 0, 0, 0, address, 1); + if (error) + return error; + anon_vma_lock(vma); /* * vma-vm_start/vm_end cannot change under us because the caller * is required to hold the mmap_sem in read mode. We need the * anon_vma lock to serialize against concurrent expand_stacks. */ - address = PAGE_MASK; - error = 0; /* Somebody else might have raced and expanded it already */ if (address vma-vm_start) { unsigned long size, grow; - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/