[RFC PATCH 0/6] Check length of unmapped area on MAP_FIXED

[RFC PATCH 0/6] Check length of unmapped area on MAP_FIXED

[Liam Howlett]

RFC because the patches are not well tested.  I've not triggered the
issue these patches fix, but have compile tested arm, sh, and sparc64
using the default config.  Please test the patches before accepting them
on your arch.

arc, arm, nds32, sparc32 and sparc64 do not check the size of the
requested MAP_FIXED before returning the address.  It appears this issue
was cloned across various architectures and, in some cases, affects both
bottom up and top down searches.  This set of patches aligns all
platforms and search directions to check the size of a MAP_FIXED
request before returning the fixed address.

Liam R. Howlett (6):
  ARC: mm/mmap.c: Check length of unmapped area before allowing
    MAP_FIXED
  [ARM] mm/mmap.c: Check length of unmapped area before allowing
    MAP_FIXED
  nds32/mm/mmap.c: Check length of unmapped area before allowing
    MAP_FIXED
  sh/mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED
  sys_sparc_32.c: Check length of unmapped area before allowing
    MAP_FIXED
  sys_sparc_64.c: Check length of unmapped area before allowing
    MAP_FIXED

 arch/arc/mm/mmap.c               |  6 +++---
 arch/arm/mm/mmap.c               |  6 +++---
 arch/nds32/mm/mmap.c             |  6 +++---
 arch/sh/mm/mmap.c                | 12 ++++++------
 arch/sparc/kernel/sys_sparc_32.c |  7 ++++---
 arch/sparc/kernel/sys_sparc_64.c | 16 ++++++++--------
 6 files changed, 27 insertions(+), 26 deletions(-)

-- 
2.30.2

[RFC PATCH 4/6] sh/mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() and arch_get_unmapped_area_topdown() could
potentially allow a larger than possible length when using the MAP_FIXED
flag.  The bound check should come before the check for MAP_FIXED.

Fixes: 2cd841c0b3a8 (v2.4.9.5 -> v2.4.9.6)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/sh/mm/mmap.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
index 6a1a1297baae..3d46c475198d 100644
--- a/arch/sh/mm/mmap.c
+++ b/arch/sh/mm/mmap.c
@@ -39,6 +39,9 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
 	int do_colour_align;
 	struct vm_unmapped_area_info info;
 
+	if (unlikely(len > TASK_SIZE))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -49,9 +52,6 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (unlikely(len > TASK_SIZE))
-		return -ENOMEM;
-
 	do_colour_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_colour_align = 1;
@@ -88,6 +88,9 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	int do_colour_align;
 	struct vm_unmapped_area_info info;
 
+	if (unlikely(len > TASK_SIZE))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -98,9 +101,6 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 		return addr;
 	}
 
-	if (unlikely(len > TASK_SIZE))
-		return -ENOMEM;
-
 	do_colour_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_colour_align = 1;
-- 
2.30.2