From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27607C433DF for ; Mon, 8 Jun 2020 04:41:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E0D4A206D5 for ; Mon, 8 Jun 2020 04:41:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="RL10Sn0G" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E0D4A206D5 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 84D9B6B000C; Mon, 8 Jun 2020 00:41:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7B0526B000D; Mon, 8 Jun 2020 00:41:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6783D6B0088; Mon, 8 Jun 2020 00:41:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0231.hostedemail.com [216.40.44.231]) by kanga.kvack.org (Postfix) with ESMTP id 4D0506B000C for ; Mon, 8 Jun 2020 00:41:20 -0400 (EDT) Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 12FE518089030 for ; Mon, 8 Jun 2020 04:41:20 +0000 (UTC) X-FDA: 76904795520.10.list67_26072b326db7 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin10.hostedemail.com (Postfix) with ESMTP id E43F416BE28 for ; Mon, 8 Jun 2020 04:41:19 +0000 (UTC) X-HE-Tag: list67_26072b326db7 X-Filterd-Recvd-Size: 3251 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf42.hostedemail.com (Postfix) with ESMTP for ; Mon, 8 Jun 2020 04:41:19 +0000 (UTC) Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A9A2A207C3; Mon, 8 Jun 2020 04:41:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591591278; bh=B+6wiStZEpVV+lrnB9FC0A1F1JVlTtHuEvn2OIYU7G4=; h=Date:From:To:Subject:In-Reply-To:From; b=RL10Sn0GFkbvag2sBU6UWJ0g/WBc+Hv/EZZuMO3FqDk5jrfioLmOxBsoddjpyLz4+ V1ohsdZou7+wwhkGgYsLb5mQolRqHcEm+wHWAdTHkrOUdMsa6vwkGB6XdPV9w7lXkE LeOtAmTj6C5PFwmlmx/RcJB9iWgY6zxjIfNLkc/U= Date: Sun, 07 Jun 2020 21:41:18 -0700 From: Andrew Morton To: agordeev@linux.ibm.com, akpm@linux-foundation.org, linux-mm@kvack.org, mm-commits@vger.kernel.org, torvalds@linux-foundation.org Subject: [patch 23/54] mm/mmap.c: add more sanity checks to get_unmapped_area() Message-ID: <20200608044118.UTcHAF_ag%akpm@linux-foundation.org> In-Reply-To: <20200607212615.b050e41fac139a1e16fe00bd@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Rspamd-Queue-Id: E43F416BE28 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam02 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Alexander Gordeev Subject: mm/mmap.c: add more sanity checks to get_unmapped_area() Generic get_unmapped_area() function does sanity checks of address and length of the area to be mapped. Yet, it lacks checking against mmap_min_addr and mmap_end limits. At the same time the default implementation of functions arch_get_unmapped_area[_topdown]() and some architecture callbacks do mmap_min_addr and mmap_end checks on their own. Put additional checks into the generic code and do not let architecture callbacks to get away with a possible area outside of the allowed limits. That could also relieve arch_get_unmapped_area[_topdown]() callbacks of own address and length sanity checks. Link: http://lkml.kernel.org/r/d14f2cff3c891ef2c4b0337d737c6f04beacb124.1584958099.git.agordeev@linux.ibm.com Signed-off-by: Alexander Gordeev Signed-off-by: Andrew Morton --- mm/mmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/mm/mmap.c~mm-mmapc-add-more-sanity-checks-to-get_unmapped_area +++ a/mm/mmap.c @@ -2193,12 +2193,13 @@ get_unmapped_area(struct file *file, uns unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); + const unsigned long mmap_end = arch_get_mmap_end(addr); unsigned long error = arch_mmap_check(addr, len, flags); if (error) return error; /* Careful about overflows.. */ - if (len > TASK_SIZE) + if (len > mmap_end - mmap_min_addr) return -ENOMEM; get_area = current->mm->get_unmapped_area; @@ -2219,7 +2220,7 @@ get_unmapped_area(struct file *file, uns if (IS_ERR_VALUE(addr)) return addr; - if (addr > TASK_SIZE - len) + if ((addr < mmap_min_addr) || (addr > mmap_end - len)) return -ENOMEM; if (offset_in_page(addr)) return -EINVAL; _