From: PaX Team <pagee...@freemail.hu>
http://lkml.org/lkml/2013/9/17/30
SyS_remap_file_pages() calls mmap_region(), which calls remove_vma_list(),
which calls remove_vma(), which frees the vma. Later (after out label)
SyS_remap_file_pages() accesses the freed vma in vm_flags = vma->vm_flags.
Reported-by: Dmitry Vyukov <dvyu...@google.com>
Signed-off-by: PaX Team <pagee...@freemail.hu>
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: sta...@vger.kernel.org
---
mm/fremap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/fremap.c b/mm/fremap.c
index 5bff08147768..afad07b85ef2 100644
--- a/mm/fremap.c
+++ b/mm/fremap.c
@@ -218,6 +218,8 @@ get_write_lock:
BUG_ON(addr != start);
err = 0;
}
+ vm_flags = vma->vm_flags;
+ vma = NULL;
goto out;
}
mutex_lock(&mapping->i_mmap_mutex);
--
1.7.9.5
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
