It prevent situation when vm_unmapped_area chose address between
PAGE_SIZE and mmap_min_addr range. In this case mmap will fail with
EPERM without a good reason.
As test-case of such situation we may hard-code address between
PAGE_SIZE and 65536 inside unmapped_area_topdown function.
Signed-off-by: Ilya Smith <blackz...@gmail.com>
---
arch/x86/kernel/sys_x86_64.c | 5 +++--
arch/x86/mm/mmap.c | 4 ++++
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index 676774b9bb8d..1752fe5cb735 100644
--- a/arch/x86/kernel/sys_x86_64.c
+++ b/arch/x86/kernel/sys_x86_64.c
@@ -17,6 +17,7 @@
#include <linux/random.h>
#include <linux/uaccess.h>
#include <linux/elf.h>
+#include <linux/security.h>
#include <asm/elf.h>
#include <asm/compat.h>
@@ -185,7 +186,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const
unsigned long addr0,
return addr;
/* requested length too big for entire address space */
- if (len > TASK_SIZE)
+ if (len > TASK_SIZE - mmap_min_addr)
return -ENOMEM;
/* No address checking. See comment at mmap_address_hint_valid() */
@@ -210,7 +211,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const
unsigned long addr0,
info.flags = VM_UNMAPPED_AREA_TOPDOWN;
info.length = len;
- info.low_limit = PAGE_SIZE;
+ info.low_limit = max(PAGE_SIZE, mmap_min_addr);
info.high_limit = get_mmap_base(0);
/*
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 155ecbac9e28..b6d0c317639e 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -31,6 +31,7 @@
#include <linux/sched/signal.h>
#include <linux/sched/mm.h>
#include <linux/compat.h>
+#include <linux/security.h>
#include <asm/elf.h>
#include "physaddr.h"
@@ -220,6 +221,9 @@ bool mmap_address_hint_valid(unsigned long addr, unsigned
long len)
if (TASK_SIZE - len < addr)
return false;
+ if (addr < mmap_min_addr)
+ return false;
+
return (addr > DEFAULT_MAP_WINDOW) == (addr + len > DEFAULT_MAP_WINDOW);
}
--
2.14.1
