aboutsummaryrefslogtreecommitdiffstats
path: root/arch/ia64/kernel/sys_ia64.c
diff options
context:
space:
mode:
authorKirill Korotaev <dev@openvz.org>2006-09-07 06:17:04 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-09-08 11:40:46 -0400
commit3a459756810912d2c2bf188cef566af255936b4d (patch)
tree1b52d90a2412811ebf5078b4f55112864e1890df /arch/ia64/kernel/sys_ia64.c
parent10387e5eb45c6e48d67102b88229f5bc6037461c (diff)
[PATCH] IA64,sparc: local DoS with corrupted ELFs
This prevents cross-region mappings on IA64 and SPARC which could lead to system crash. They were correctly trapped for normal mmap() calls, but not for the kernel internal calls generated by executable loading. This code just moves the architecture-specific cross-region checks into an arch-specific "arch_mmap_check()" macro, and defines that for the architectures that needed it (ia64, sparc and sparc64). Architectures that don't have any special requirements can just ignore the new cross-region check, since the mmap() code will just notice on its own when the macro isn't defined. Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Kirill Korotaev <dev@openvz.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> [ Cleaned up to not affect architectures that don't need it ] Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch/ia64/kernel/sys_ia64.c')
-rw-r--r--arch/ia64/kernel/sys_ia64.c28
1 files changed, 16 insertions, 12 deletions
diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
index 40722d88607a..9ef62a3fbfad 100644
--- a/arch/ia64/kernel/sys_ia64.c
+++ b/arch/ia64/kernel/sys_ia64.c
@@ -163,10 +163,25 @@ sys_pipe (void)
163 return retval; 163 return retval;
164} 164}
165 165
166int ia64_mmap_check(unsigned long addr, unsigned long len,
167 unsigned long flags)
168{
169 unsigned long roff;
170
171 /*
172 * Don't permit mappings into unmapped space, the virtual page table
173 * of a region, or across a region boundary. Note: RGN_MAP_LIMIT is
174 * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0.
175 */
176 roff = REGION_OFFSET(addr);
177 if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len)))
178 return -EINVAL;
179 return 0;
180}
181
166static inline unsigned long 182static inline unsigned long
167do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff) 183do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff)
168{ 184{
169 unsigned long roff;
170 struct file *file = NULL; 185 struct file *file = NULL;
171 186
172 flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); 187 flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
@@ -188,17 +203,6 @@ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, un
188 goto out; 203 goto out;
189 } 204 }
190 205
191 /*
192 * Don't permit mappings into unmapped space, the virtual page table of a region,
193 * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE
194 * (for some integer n <= 61) and len > 0.
195 */
196 roff = REGION_OFFSET(addr);
197 if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) {
198 addr = -EINVAL;
199 goto out;
200 }
201
202 down_write(&current->mm->mmap_sem); 206 down_write(&current->mm->mmap_sem);
203 addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); 207 addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
204 up_write(&current->mm->mmap_sem); 208 up_write(&current->mm->mmap_sem);