From: Andrew Morton <akpm@linux-foundation.org>
To: agordeev@linux.ibm.com, akpm@linux-foundation.org,
linux-mm@kvack.org, mm-commits@vger.kernel.org,
torvalds@linux-foundation.org
Subject: [patch 23/54] mm/mmap.c: add more sanity checks to get_unmapped_area()
Date: Sun, 07 Jun 2020 21:41:18 -0700 [thread overview]
Message-ID: <20200608044118.UTcHAF_ag%akpm@linux-foundation.org> (raw)
In-Reply-To: <20200607212615.b050e41fac139a1e16fe00bd@linux-foundation.org>
From: Alexander Gordeev <agordeev@linux.ibm.com>
Subject: mm/mmap.c: add more sanity checks to get_unmapped_area()
Generic get_unmapped_area() function does sanity checks of address and
length of the area to be mapped. Yet, it lacks checking against
mmap_min_addr and mmap_end limits.
At the same time the default implementation of functions
arch_get_unmapped_area[_topdown]() and some architecture callbacks do
mmap_min_addr and mmap_end checks on their own.
Put additional checks into the generic code and do not let architecture
callbacks to get away with a possible area outside of the allowed limits.
That could also relieve arch_get_unmapped_area[_topdown]() callbacks of
own address and length sanity checks.
Link: http://lkml.kernel.org/r/d14f2cff3c891ef2c4b0337d737c6f04beacb124.1584958099.git.agordeev@linux.ibm.com
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
mm/mmap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/mmap.c~mm-mmapc-add-more-sanity-checks-to-get_unmapped_area
+++ a/mm/mmap.c
@@ -2193,12 +2193,13 @@ get_unmapped_area(struct file *file, uns
unsigned long (*get_area)(struct file *, unsigned long,
unsigned long, unsigned long, unsigned long);
+ const unsigned long mmap_end = arch_get_mmap_end(addr);
unsigned long error = arch_mmap_check(addr, len, flags);
if (error)
return error;
/* Careful about overflows.. */
- if (len > TASK_SIZE)
+ if (len > mmap_end - mmap_min_addr)
return -ENOMEM;
get_area = current->mm->get_unmapped_area;
@@ -2219,7 +2220,7 @@ get_unmapped_area(struct file *file, uns
if (IS_ERR_VALUE(addr))
return addr;
- if (addr > TASK_SIZE - len)
+ if ((addr < mmap_min_addr) || (addr > mmap_end - len))
return -ENOMEM;
if (offset_in_page(addr))
return -EINVAL;
_
next prev parent reply other threads:[~2020-06-08 4:41 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200607212615.b050e41fac139a1e16fe00bd@linux-foundation.org>
2020-06-08 4:40 ` [patch 01/54] mm/page_idle.c: skip offline pages Andrew Morton
2020-06-08 4:40 ` [patch 02/54] ipc/msg: add missing annotation for freeque() Andrew Morton
2020-06-08 4:40 ` [patch 03/54] ipc/namespace.c: use a work queue to free_ipc Andrew Morton
2020-06-08 4:40 ` [patch 04/54] dynamic_debug: add an option to enable dynamic debug for modules only Andrew Morton
2020-06-08 4:40 ` [patch 05/54] kernel: add panic_on_taint Andrew Morton
2020-06-08 4:40 ` [patch 06/54] xarray.h: correct return code documentation for xa_store_{bh,irq}() Andrew Morton
2020-06-08 4:40 ` [patch 07/54] kernel/sysctl: support setting sysctl parameters from kernel command line Andrew Morton
2020-06-08 4:40 ` [patch 08/54] kernel/sysctl: support handling command line aliases Andrew Morton
2020-06-08 4:40 ` [patch 09/54] kernel/hung_task convert hung_task_panic boot parameter to sysctl Andrew Morton
2020-06-08 4:40 ` [patch 10/54] tools/testing/selftests/sysctl/sysctl.sh: support CONFIG_TEST_SYSCTL=y Andrew Morton
2020-06-08 4:40 ` [patch 11/54] lib/test_sysctl: support testing of sysctl. boot parameter Andrew Morton
2020-06-08 4:40 ` [patch 12/54] kernel/watchdog.c: convert {soft/hard}lockup boot parameters to sysctl aliases Andrew Morton
2020-06-08 4:40 ` [patch 13/54] kernel/hung_task.c: introduce sysctl to print all traces when a hung task is detected Andrew Morton
2020-06-08 4:40 ` [patch 14/54] panic: add sysctl to dump all CPUs backtraces on oops event Andrew Morton
2020-06-08 4:40 ` [patch 15/54] kernel/sysctl.c: ignore out-of-range taint bits introduced via kernel.tainted Andrew Morton
2020-06-08 4:40 ` [patch 16/54] mm/gup.c: convert to use get_user_{page|pages}_fast_only() Andrew Morton
2020-06-08 4:40 ` [patch 17/54] mm/gup: update pin_user_pages.rst for "case 3" (mmu notifiers) Andrew Morton
2020-06-08 4:41 ` [patch 18/54] mm/gup: introduce pin_user_pages_locked() Andrew Morton
2020-06-08 4:41 ` [patch 19/54] mm/gup: frame_vector: convert get_user_pages() --> pin_user_pages() Andrew Morton
2020-06-08 4:41 ` [patch 20/54] mm/gup: documentation fix for pin_user_pages*() APIs Andrew Morton
2020-06-08 4:41 ` [patch 21/54] docs: mm/gup: pin_user_pages.rst: add a "case 5" Andrew Morton
2020-06-08 4:41 ` [patch 22/54] vhost: convert get_user_pages() --> pin_user_pages() Andrew Morton
2020-06-08 4:41 ` Andrew Morton [this message]
2020-06-08 4:41 ` [patch 24/54] mm/mmap.c: do not allow mappings outside of allowed limits Andrew Morton
2020-06-08 4:41 ` [patch 25/54] arm: fix the flush_icache_range arguments in set_fiq_handler Andrew Morton
2020-06-08 4:41 ` [patch 26/54] nds32: unexport flush_icache_page Andrew Morton
2020-06-08 4:41 ` [patch 27/54] powerpc: unexport flush_icache_user_range Andrew Morton
2020-06-08 4:41 ` [patch 28/54] unicore32: remove flush_cache_user_range Andrew Morton
2020-06-08 4:41 ` [patch 29/54] asm-generic: fix the inclusion guards for cacheflush.h Andrew Morton
2020-06-08 4:41 ` [patch 30/54] asm-generic: don't include <linux/mm.h> in cacheflush.h Andrew Morton
2020-06-08 4:41 ` [patch 31/54] asm-generic: improve the flush_dcache_page stub Andrew Morton
2020-06-08 4:41 ` [patch 32/54] alpha: use asm-generic/cacheflush.h Andrew Morton
2020-06-08 4:41 ` [patch 33/54] arm64: " Andrew Morton
2020-06-08 4:41 ` [patch 34/54] c6x: " Andrew Morton
2020-06-08 4:41 ` [patch 35/54] hexagon: " Andrew Morton
2020-06-08 4:42 ` [patch 36/54] ia64: " Andrew Morton
2020-06-08 4:42 ` [patch 37/54] microblaze: " Andrew Morton
2020-06-08 4:42 ` [patch 38/54] m68knommu: " Andrew Morton
2020-06-08 4:42 ` [patch 39/54] openrisc: " Andrew Morton
2020-06-08 4:42 ` [patch 40/54] powerpc: " Andrew Morton
2020-06-08 4:42 ` [patch 41/54] riscv: " Andrew Morton
2020-06-08 4:42 ` [patch 42/54] arm,sparc,unicore32: remove flush_icache_user_range Andrew Morton
2020-06-08 4:42 ` [patch 43/54] mm: rename flush_icache_user_range to flush_icache_user_page Andrew Morton
2020-06-08 4:42 ` [patch 44/54] asm-generic: add a flush_icache_user_range stub Andrew Morton
2020-06-08 4:42 ` [patch 45/54] sh: implement flush_icache_user_range Andrew Morton
2020-06-08 4:42 ` [patch 46/54] xtensa: " Andrew Morton
2020-06-08 4:42 ` [patch 47/54] arm: rename flush_cache_user_range to flush_icache_user_range Andrew Morton
2020-06-08 4:42 ` [patch 48/54] m68k: implement flush_icache_user_range Andrew Morton
2020-06-08 4:42 ` [patch 49/54] exec: only build read_code when needed Andrew Morton
2020-06-08 4:42 ` [patch 50/54] exec: use flush_icache_user_range in read_code Andrew Morton
2020-06-08 4:42 ` [patch 51/54] binfmt_flat: use flush_icache_user_range Andrew Morton
2020-06-08 4:42 ` [patch 52/54] nommu: use flush_icache_user_range in brk and mmap Andrew Morton
2020-06-08 4:42 ` [patch 53/54] module: move the set_fs hack for flush_icache_range to m68k Andrew Morton
2020-06-08 4:42 ` [patch 54/54] doc: cgroup: update note about conditions when oom killer is invoked Andrew Morton
2020-06-08 6:09 ` [obsolete] linux-next-rejects.patch removed from -mm tree Andrew Morton
2020-06-08 23:33 ` + lib-test-get_count_order-long-in-test_bitopsc-fix-fix.patch added to " Andrew Morton
2020-06-08 23:42 ` + checkpatch-correct-check-for-kernel-parameters-doc.patch " Andrew Morton
2020-06-08 23:43 ` + lib-fix-bitmap_parse-on-64-bit-big-endian-archs.patch " Andrew Morton
2020-06-08 23:45 ` + mm-debug_vm_pgtable-fix-kernel-crash-by-checking-for-thp-support.patch " Andrew Morton
2020-06-08 23:56 ` + mm-memory-failure-prioritize-prctlpr_mce_kill-over-vmmemory_failure_early_kill.patch " Andrew Morton
2020-06-08 23:56 ` + mm-memory-failure-send-sigbusbus_mceerr_ar-only-to-current-thread.patch " Andrew Morton
2020-06-08 23:57 ` + fs-ocfs2-fix-spelling-mistake-and-grammar.patch " Andrew Morton
2020-06-09 0:12 ` + fix-build-failure-of-ocfs2-when-tcp-ip-is-disabled.patch " Andrew Morton
2020-06-09 1:27 ` + mm-pgtable-add-shortcuts-for-accessing-kernel-pmd-and-pte-fix-3.patch " Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200608044118.UTcHAF_ag%akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=agordeev@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mm-commits@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).