From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Cyrill Gorcunov <gorcunov@gmail.com>,
Andrey Vagin <avagin@gmail.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 13/81] kernel/sys.c: prctl: fix false positive in validate_prctl_map()
Date: Thu, 13 Jun 2019 10:32:56 +0200 [thread overview]
Message-ID: <20190613075650.048932735@linuxfoundation.org> (raw)
In-Reply-To: <20190613075649.074682929@linuxfoundation.org>
[ Upstream commit a9e73998f9d705c94a8dca9687633adc0f24a19a ]
While validating new map we require the @start_data to be strictly less
than @end_data, which is fine for regular applications (this is why this
nit didn't trigger for that long). These members are set from executable
loaders such as elf handers, still it is pretty valid to have a loadable
data section with zero size in file, in such case the start_data is equal
to end_data once kernel loader finishes.
As a result when we're trying to restore such programs the procedure fails
and the kernel returns -EINVAL. From the image dump of a program:
| "mm_start_code": "0x400000",
| "mm_end_code": "0x8f5fb4",
| "mm_start_data": "0xf1bfb0",
| "mm_end_data": "0xf1bfb0",
Thus we need to change validate_prctl_map from strictly less to less or
equal operator use.
Link: http://lkml.kernel.org/r/20190408143554.GY1421@uranus.lan
Fixes: f606b77f1a9e3 ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation")
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Andrey Vagin <avagin@gmail.com>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index e25ec93aea22..ab96b9882347 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1861,7 +1861,7 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)
((unsigned long)prctl_map->__m1 __op \
(unsigned long)prctl_map->__m2) ? 0 : -EINVAL
error = __prctl_check_order(start_code, <, end_code);
- error |= __prctl_check_order(start_data, <, end_data);
+ error |= __prctl_check_order(start_data,<=, end_data);
error |= __prctl_check_order(start_brk, <=, brk);
error |= __prctl_check_order(arg_start, <=, arg_end);
error |= __prctl_check_order(env_start, <=, env_end);
--
2.20.1
next prev parent reply other threads:[~2019-06-13 16:27 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-13 8:32 [PATCH 4.14 00/81] 4.14.126-stable review Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 01/81] rapidio: fix a NULL pointer dereference when create_workqueue() fails Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 02/81] fs/fat/file.c: issue flush after the writeback of FAT Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 03/81] sysctl: return -EINVAL if val violates minmax Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 04/81] ipc: prevent lockup on alloc_msg and free_msg Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 05/81] ARM: prevent tracing IPI_CPU_BACKTRACE Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 06/81] mm/hmm: select mmu notifier when selecting HMM Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 07/81] hugetlbfs: on restore reserve error path retain subpool reservation Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 08/81] mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 09/81] mm/cma.c: fix crash on CMA allocation if bitmap allocation fails Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 10/81] mm/cma.c: fix the bitmap status to show failed allocation reason Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 11/81] mm/cma_debug.c: fix the break condition in cma_maxchunk_get() Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 12/81] mm/slab.c: fix an infinite loop in leaks_show() Greg Kroah-Hartman
2019-06-13 8:32 ` Greg Kroah-Hartman [this message]
2019-06-13 8:32 ` [PATCH 4.14 14/81] thermal: rcar_gen3_thermal: disable interrupt in .remove Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 15/81] drivers: thermal: tsens: Dont print error message on -EPROBE_DEFER Greg Kroah-Hartman
2019-06-13 8:32 ` [PATCH 4.14 16/81] mfd: tps65912-spi: Add missing of table registration Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 17/81] mfd: intel-lpss: Set the device in reset state when init Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 18/81] drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 19/81] mfd: twl6040: Fix device init errors for ACCCTL register Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 20/81] perf/x86/intel: Allow PEBS multi-entry in watermark mode Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 21/81] drm/bridge: adv7511: Fix low refresh rate selection Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 22/81] objtool: Dont use ignore flag for fake jumps Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 23/81] EDAC/mpc85xx: Prevent building as a module Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 24/81] pwm: meson: Use the spin-lock only to protect register modifications Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 25/81] ntp: Allow TAI-UTC offset to be set to zero Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 26/81] f2fs: fix to avoid panic in do_recover_data() Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 27/81] f2fs: fix to clear dirty inode in error path of f2fs_iget() Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 28/81] f2fs: fix to avoid panic in dec_valid_block_count() Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 29/81] f2fs: fix to do sanity check on valid block count of segment Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 30/81] percpu: remove spurious lock dependency between percpu and sched Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 31/81] configfs: fix possible use-after-free in configfs_register_group Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 32/81] uml: fix a boot splat wrt use of cpu_all_mask Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 33/81] mmc: mmci: Prevent polling for busy detection in IRQ context Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 34/81] mips: Make sure dt memory regions are valid Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 35/81] watchdog: imx2_wdt: Fix set_timeout for big timeout values Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 36/81] watchdog: fix compile time error of pretimeout governors Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 37/81] blk-mq: move cancel of requeue_work into blk_mq_release Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 38/81] iommu/vt-d: Set intel_iommu_gfx_mapped correctly Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 39/81] misc: pci_endpoint_test: Fix test_reg_bar to be updated in pci_endpoint_test Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 40/81] nvme-pci: unquiesce admin queue on shutdown Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 41/81] ALSA: hda - Register irq handler after the chip initialization Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 42/81] nvmem: core: fix read buffer in place Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 43/81] fuse: retrieve: cap requested size to negotiated max_write Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 44/81] nfsd: allow fh_want_write to be called twice Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 45/81] vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING" Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 46/81] x86/PCI: Fix PCI IRQ routing table memory leak Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 47/81] platform/chrome: cros_ec_proto: check for NULL transfer function Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 48/81] PCI: keystone: Prevent ARM32 specific code to be compiled for ARM64 Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 49/81] soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 50/81] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 51/81] soc: rockchip: Set the proper PWM for rk3288 Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 52/81] ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 53/81] ARM: dts: imx50: " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 54/81] ARM: dts: imx53: " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 55/81] ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 56/81] ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 57/81] ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 58/81] ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 59/81] ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG " Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 60/81] PCI: rpadlpar: Fix leaked device_node references in add/remove paths Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 61/81] ALSA: seq: Protect in-kernel ioctl calls with mutex Greg Kroah-Hartman
2019-06-13 9:02 ` Takashi Iwai
2019-06-13 9:11 ` Greg Kroah-Hartman
2019-06-13 9:13 ` Takashi Iwai
2019-06-13 15:39 ` Sasha Levin
2019-06-13 15:44 ` Takashi Iwai
2019-06-13 16:28 ` Sasha Levin
2019-06-13 8:33 ` [PATCH 4.14 62/81] platform/x86: intel_pmc_ipc: adding error handling Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 63/81] power: supply: max14656: fix potential use-before-alloc Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 64/81] PCI: rcar: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 65/81] PCI: rcar: Fix 64bit MSI message address handling Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 66/81] video: hgafb: fix potential NULL pointer dereference Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 67/81] video: imsttfb: fix potential NULL pointer dereferences Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 68/81] block, bfq: increase idling for weight-raised queues Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 69/81] PCI: xilinx: Check for __get_free_pages() failure Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 70/81] gpio: gpio-omap: add check for off wake capable gpios Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 71/81] dmaengine: idma64: Use actual device for DMA transfers Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 72/81] pwm: tiehrpwm: Update shadow register for disabling PWMs Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 73/81] ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 74/81] pwm: Fix deadlock warning when removing PWM device Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 75/81] ARM: exynos: Fix undefined instruction during Exynos5422 resume Greg Kroah-Hartman
2019-06-13 8:33 ` [PATCH 4.14 76/81] usb: typec: fusb302: Check vconn is off when we start toggling Greg Kroah-Hartman
2019-06-13 8:34 ` [PATCH 4.14 77/81] gpio: vf610: Do not share irq_chip Greg Kroah-Hartman
2019-06-13 8:34 ` [PATCH 4.14 78/81] percpu: do not search past bitmap when allocating an area Greg Kroah-Hartman
2019-06-13 8:34 ` [PATCH 4.14 79/81] Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections" Greg Kroah-Hartman
2019-06-13 8:34 ` [PATCH 4.14 80/81] Revert "drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)" Greg Kroah-Hartman
2019-06-13 8:34 ` [PATCH 4.14 81/81] drm: dont block fb changes for async plane updates Greg Kroah-Hartman
2019-06-13 15:11 ` [PATCH 4.14 00/81] 4.14.126-stable review Guenter Roeck
2019-06-13 15:37 ` Greg Kroah-Hartman
2019-06-13 16:38 ` Sasha Levin
2019-06-13 19:33 ` Naresh Kamboju
2019-06-13 16:30 ` kernelci.org bot
2019-06-13 22:38 ` Guenter Roeck
2019-06-14 2:38 ` shuah
2019-06-14 10:28 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190613075650.048932735@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=0x7f454c46@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=avagin@gmail.com \
--cc=gorcunov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).