mm: ensure get_unmapped_area() returns higher address than mmap_min_addr

This patch fixes the problem that get_unmapped_area() can return illegal address and result in failing mmap(2) etc. In case that the address higher than PAGE_SIZE is set to /proc/sys/vm/mmap_min_addr, the address lower than mmap_min_addr can be returned by get_unmapped_area(), even if you do not pass any virtual address hint (i.e. the second argument). This is because the current get_unmapped_area() code does not take into account mmap_min_addr. This leads to two actual problems as follows: 1. mmap(2) can fail with EPERM on the process without CAP_SYS_RAWIO, although any illegal parameter is not passed. 2. The bottom-up search path after the top-down search might not work in arch_get_unmapped_area_topdown(). Note: The first and third chunk of my patch, which changes "len" check, are for more precise check using mmap_min_addr, and not for solving the above problem. [How to reproduce] --- test.c ------------------------------------------------- #include <stdio.h> #include <unistd.h> #include <sys/mman.h> #include <sys/errno.h> int main(int argc, char *argv[]) { void *ret = NULL, *last_map; size_t pagesize = sysconf(_SC_PAGESIZE); do { last_map = ret; ret = mmap(0, pagesize, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); // printf("ret=%p\n", ret); } while (ret != MAP_FAILED); if (errno != ENOMEM) { printf("ERR: unexpected errno: %d (last map=%p)\n", errno, last_map); } return 0; } --------------------------------------------------------------- $ gcc -m32 -o test test.c $ sudo sysctl -w vm.mmap_min_addr=65536 vm.mmap_min_addr = 65536 $ ./test (run as non-priviledge user) ERR: unexpected errno: 1 (last map=0x10000) Signed-off-by: Akira Takeuchi <takeuchi.akr@jp.panasonic.com> Signed-off-by: Kiyoshi Owada <owada.kiyoshi@jp.panasonic.com> Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Akira Takeuchi <takeuchi.akr@jp.panasonic.com> 2013-11-12 18:08:21 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-11-12 22:09:10 -0500
commit: 2afc745f3e3079ab16c826be4860da2529054dd2 (patch)
tree: 2b3aad3cdc87a1c215a9e7d358651ac004e01058 /mm/mmap.c
parent: 0cbef29a782162a3896487901eca4550bfa397ef (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/mm/mmap.c b/mm/mmap.c
index fa206abb5c9d..3d3e224be771 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1856,7 +1856,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
        struct vm_area_struct *vma;
        struct vm_unmapped_area_info info;
-        if (len > TASK_SIZE)
+        if (len > TASK_SIZE - mmap_min_addr)
                return -ENOMEM;
        if (flags & MAP_FIXED)
@@ -1865,7 +1865,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
        if (addr) {
                addr = PAGE_ALIGN(addr);
                vma = find_vma(mm, addr);
-                if (TASK_SIZE - len >= addr &&
+                if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
                    (!vma || addr + len <= vma->vm_start))
                        return addr;
        }
@@ -1895,7 +1895,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
        struct vm_unmapped_area_info info;
        /* requested length too big for entire address space */
-        if (len > TASK_SIZE)
+        if (len > TASK_SIZE - mmap_min_addr)
                return -ENOMEM;
        if (flags & MAP_FIXED)
@@ -1905,14 +1905,14 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
        if (addr) {
                addr = PAGE_ALIGN(addr);
                vma = find_vma(mm, addr);
-                if (TASK_SIZE - len >= addr &&
+                if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
                                (!vma || addr + len <= vma->vm_start))
                        return addr;
        }
        info.flags = VM_UNMAPPED_AREA_TOPDOWN;
        info.length = len;
-        info.low_limit = PAGE_SIZE;
+        info.low_limit = max(PAGE_SIZE, mmap_min_addr);
        info.high_limit = mm->mmap_base;
        info.align_mask = 0;
        addr = vm_unmapped_area(&info);
author	Akira Takeuchi <takeuchi.akr@jp.panasonic.com>	2013-11-12 18:08:21 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-11-12 22:09:10 -0500
commit	2afc745f3e3079ab16c826be4860da2529054dd2 (patch)
tree	2b3aad3cdc87a1c215a9e7d358651ac004e01058 /mm/mmap.c
parent	0cbef29a782162a3896487901eca4550bfa397ef (diff)

diff --git a/mm/mmap.c b/mm/mmap.c index fa206abb5c9d..3d3e224be771 100644 --- a/mm/mmap.c +++ b/mm/mmap.c
@@ -1856,7 +1856,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
1856	struct vm_area_struct *vma;	1856	struct vm_area_struct *vma;
1857	struct vm_unmapped_area_info info;	1857	struct vm_unmapped_area_info info;
1858		1858
1859	if (len > TASK_SIZE)	1859	if (len > TASK_SIZE - mmap_min_addr)
1860	return -ENOMEM;	1860	return -ENOMEM;
1861		1861
1862	if (flags & MAP_FIXED)	1862	if (flags & MAP_FIXED)
@@ -1865,7 +1865,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
1865	if (addr) {	1865	if (addr) {
1866	addr = PAGE_ALIGN(addr);	1866	addr = PAGE_ALIGN(addr);
1867	vma = find_vma(mm, addr);	1867	vma = find_vma(mm, addr);
1868	if (TASK_SIZE - len >= addr &&	1868	if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
1869	(!vma \|\| addr + len <= vma->vm_start))	1869	(!vma \|\| addr + len <= vma->vm_start))
1870	return addr;	1870	return addr;
1871	}	1871	}
@@ -1895,7 +1895,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
1895	struct vm_unmapped_area_info info;	1895	struct vm_unmapped_area_info info;
1896		1896
1897	/* requested length too big for entire address space */	1897	/* requested length too big for entire address space */
1898	if (len > TASK_SIZE)	1898	if (len > TASK_SIZE - mmap_min_addr)
1899	return -ENOMEM;	1899	return -ENOMEM;
1900		1900
1901	if (flags & MAP_FIXED)	1901	if (flags & MAP_FIXED)
@@ -1905,14 +1905,14 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
1905	if (addr) {	1905	if (addr) {
1906	addr = PAGE_ALIGN(addr);	1906	addr = PAGE_ALIGN(addr);
1907	vma = find_vma(mm, addr);	1907	vma = find_vma(mm, addr);
1908	if (TASK_SIZE - len >= addr &&	1908	if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
1909	(!vma \|\| addr + len <= vma->vm_start))	1909	(!vma \|\| addr + len <= vma->vm_start))
1910	return addr;	1910	return addr;
1911	}	1911	}
1912		1912
1913	info.flags = VM_UNMAPPED_AREA_TOPDOWN;	1913	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
1914	info.length = len;	1914	info.length = len;
1915	info.low_limit = PAGE_SIZE;	1915	info.low_limit = max(PAGE_SIZE, mmap_min_addr);
1916	info.high_limit = mm->mmap_base;	1916	info.high_limit = mm->mmap_base;
1917	info.align_mask = 0;	1917	info.align_mask = 0;
1918	addr = vm_unmapped_area(&info);	1918	addr = vm_unmapped_area(&info);