diff options
| author | Kirill Korotaev <dev@openvz.org> | 2006-09-07 06:17:04 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-09-08 11:40:46 -0400 |
| commit | 3a459756810912d2c2bf188cef566af255936b4d (patch) | |
| tree | 1b52d90a2412811ebf5078b4f55112864e1890df /arch/sparc | |
| parent | 10387e5eb45c6e48d67102b88229f5bc6037461c (diff) | |
[PATCH] IA64,sparc: local DoS with corrupted ELFs
This prevents cross-region mappings on IA64 and SPARC which could lead
to system crash. They were correctly trapped for normal mmap() calls,
but not for the kernel internal calls generated by executable loading.
This code just moves the architecture-specific cross-region checks into
an arch-specific "arch_mmap_check()" macro, and defines that for the
architectures that needed it (ia64, sparc and sparc64).
Architectures that don't have any special requirements can just ignore
the new cross-region check, since the mmap() code will just notice on
its own when the macro isn't defined.
Signed-off-by: Pavel Emelianov <xemul@openvz.org>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[ Cleaned up to not affect architectures that don't need it ]
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch/sparc')
| -rw-r--r-- | arch/sparc/kernel/sys_sparc.c | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/arch/sparc/kernel/sys_sparc.c b/arch/sparc/kernel/sys_sparc.c index a41c8a5c2007..94ff58c9d4a9 100644 --- a/arch/sparc/kernel/sys_sparc.c +++ b/arch/sparc/kernel/sys_sparc.c | |||
| @@ -219,6 +219,21 @@ out: | |||
| 219 | return err; | 219 | return err; |
| 220 | } | 220 | } |
| 221 | 221 | ||
| 222 | int sparc_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) | ||
| 223 | { | ||
| 224 | if (ARCH_SUN4C_SUN4 && | ||
| 225 | (len > 0x20000000 || | ||
| 226 | ((flags & MAP_FIXED) && | ||
| 227 | addr < 0xe0000000 && addr + len > 0x20000000))) | ||
| 228 | return -EINVAL; | ||
| 229 | |||
| 230 | /* See asm-sparc/uaccess.h */ | ||
| 231 | if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) | ||
| 232 | return -EINVAL; | ||
| 233 | |||
| 234 | return 0; | ||
| 235 | } | ||
| 236 | |||
| 222 | /* Linux version of mmap */ | 237 | /* Linux version of mmap */ |
| 223 | static unsigned long do_mmap2(unsigned long addr, unsigned long len, | 238 | static unsigned long do_mmap2(unsigned long addr, unsigned long len, |
| 224 | unsigned long prot, unsigned long flags, unsigned long fd, | 239 | unsigned long prot, unsigned long flags, unsigned long fd, |
| @@ -233,25 +248,13 @@ static unsigned long do_mmap2(unsigned long addr, unsigned long len, | |||
| 233 | goto out; | 248 | goto out; |
| 234 | } | 249 | } |
| 235 | 250 | ||
| 236 | retval = -EINVAL; | ||
| 237 | len = PAGE_ALIGN(len); | 251 | len = PAGE_ALIGN(len); |
| 238 | if (ARCH_SUN4C_SUN4 && | ||
| 239 | (len > 0x20000000 || | ||
| 240 | ((flags & MAP_FIXED) && | ||
| 241 | addr < 0xe0000000 && addr + len > 0x20000000))) | ||
| 242 | goto out_putf; | ||
| 243 | |||
| 244 | /* See asm-sparc/uaccess.h */ | ||
| 245 | if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) | ||
| 246 | goto out_putf; | ||
| 247 | |||
| 248 | flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); | 252 | flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); |
| 249 | 253 | ||
| 250 | down_write(¤t->mm->mmap_sem); | 254 | down_write(¤t->mm->mmap_sem); |
| 251 | retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); | 255 | retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); |
| 252 | up_write(¤t->mm->mmap_sem); | 256 | up_write(¤t->mm->mmap_sem); |
| 253 | 257 | ||
| 254 | out_putf: | ||
| 255 | if (file) | 258 | if (file) |
| 256 | fput(file); | 259 | fput(file); |
| 257 | out: | 260 | out: |