[stable] Patch "mm: avoid wrapping vm_pgoff in mremap()" has been added to the 2.6.38-stable tree

Mon, 11 Apr 2011 14:48:17 -0700 

This is a note to let you know that I've just added the patch titled

    mm: avoid wrapping vm_pgoff in mremap()

to the 2.6.38-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mm-avoid-wrapping-vm_pgoff-in-mremap.patch
and it can be found in the queue-2.6.38 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <[email protected]>
Date: Thu, 7 Apr 2011 07:35:50 -0700
Subject: mm: avoid wrapping vm_pgoff in mremap()

From: Linus Torvalds <[email protected]>

commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream.

The normal mmap paths all avoid creating a mapping where the pgoff
inside the mapping could wrap around due to overflow.  However, an
expanding mremap() can take such a non-wrapping mapping and make it
bigger and cause a wrapping condition.

Noticed by Robert Swiecki when running a system call fuzzer, where it
caused a BUG_ON() due to terminally confusing the vma_prio_tree code.  A
vma dumping patch by Hugh then pinpointed the crazy wrapped case.

Reported-and-tested-by: Robert Swiecki <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 mm/mremap.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -277,9 +277,16 @@ static struct vm_area_struct *vma_to_res
        if (old_len > vma->vm_end - addr)
                goto Efault;
 
-       if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
-               if (new_len > old_len)
+       /* Need to be careful about a growing mapping */
+       if (new_len > old_len) {
+               unsigned long pgoff;
+
+               if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
                        goto Efault;
+               pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
+               pgoff += vma->vm_pgoff;
+               if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
+                       goto Einval;
        }
 
        if (vma->vm_flags & VM_LOCKED) {


Patches currently in stable-queue which might be from 
[email protected] are

queue-2.6.38/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
queue-2.6.38/inotify-fix-double-free-corruption-of-stuct-user.patch
queue-2.6.38/relax-si_code-check-in-rt_sigqueueinfo-and-rt_tgsigqueueinfo.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to