diff options
author | Kirill Korotaev <dev@openvz.org> | 2006-09-07 06:17:04 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-09-08 11:40:46 -0400 |
commit | 3a459756810912d2c2bf188cef566af255936b4d (patch) | |
tree | 1b52d90a2412811ebf5078b4f55112864e1890df /arch/sparc64/kernel/sys_sparc.c | |
parent | 10387e5eb45c6e48d67102b88229f5bc6037461c (diff) |
[PATCH] IA64,sparc: local DoS with corrupted ELFs
This prevents cross-region mappings on IA64 and SPARC which could lead
to system crash. They were correctly trapped for normal mmap() calls,
but not for the kernel internal calls generated by executable loading.
This code just moves the architecture-specific cross-region checks into
an arch-specific "arch_mmap_check()" macro, and defines that for the
architectures that needed it (ia64, sparc and sparc64).
Architectures that don't have any special requirements can just ignore
the new cross-region check, since the mmap() code will just notice on
its own when the macro isn't defined.
Signed-off-by: Pavel Emelianov <xemul@openvz.org>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Cleaned up to not affect architectures that don't need it ]
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch/sparc64/kernel/sys_sparc.c')
-rw-r--r-- | arch/sparc64/kernel/sys_sparc.c | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/arch/sparc64/kernel/sys_sparc.c b/arch/sparc64/kernel/sys_sparc.c index 054d0abdb7ee..bf5f14ee73de 100644 --- a/arch/sparc64/kernel/sys_sparc.c +++ b/arch/sparc64/kernel/sys_sparc.c | |||
@@ -548,6 +548,26 @@ asmlinkage long sparc64_personality(unsigned long personality) | |||
548 | return ret; | 548 | return ret; |
549 | } | 549 | } |
550 | 550 | ||
551 | int sparc64_mmap_check(unsigned long addr, unsigned long len, | ||
552 | unsigned long flags) | ||
553 | { | ||
554 | if (test_thread_flag(TIF_32BIT)) { | ||
555 | if (len >= STACK_TOP32) | ||
556 | return -EINVAL; | ||
557 | |||
558 | if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len) | ||
559 | return -EINVAL; | ||
560 | } else { | ||
561 | if (len >= VA_EXCLUDE_START) | ||
562 | return -EINVAL; | ||
563 | |||
564 | if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len)) | ||
565 | return -EINVAL; | ||
566 | } | ||
567 | |||
568 | return 0; | ||
569 | } | ||
570 | |||
551 | /* Linux version of mmap */ | 571 | /* Linux version of mmap */ |
552 | asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, | 572 | asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, |
553 | unsigned long prot, unsigned long flags, unsigned long fd, | 573 | unsigned long prot, unsigned long flags, unsigned long fd, |
@@ -563,27 +583,11 @@ asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len, | |||
563 | } | 583 | } |
564 | flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); | 584 | flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); |
565 | len = PAGE_ALIGN(len); | 585 | len = PAGE_ALIGN(len); |
566 | retval = -EINVAL; | ||
567 | |||
568 | if (test_thread_flag(TIF_32BIT)) { | ||
569 | if (len >= STACK_TOP32) | ||
570 | goto out_putf; | ||
571 | |||
572 | if ((flags & MAP_FIXED) && addr > STACK_TOP32 - len) | ||
573 | goto out_putf; | ||
574 | } else { | ||
575 | if (len >= VA_EXCLUDE_START) | ||
576 | goto out_putf; | ||
577 | |||
578 | if ((flags & MAP_FIXED) && invalid_64bit_range(addr, len)) | ||
579 | goto out_putf; | ||
580 | } | ||
581 | 586 | ||
582 | down_write(¤t->mm->mmap_sem); | 587 | down_write(¤t->mm->mmap_sem); |
583 | retval = do_mmap(file, addr, len, prot, flags, off); | 588 | retval = do_mmap(file, addr, len, prot, flags, off); |
584 | up_write(¤t->mm->mmap_sem); | 589 | up_write(¤t->mm->mmap_sem); |
585 | 590 | ||
586 | out_putf: | ||
587 | if (file) | 591 | if (file) |
588 | fput(file); | 592 | fput(file); |
589 | out: | 593 | out: |