[PATCH] IA64,sparc: local DoS with corrupted ELFs

This prevents cross-region mappings on IA64 and SPARC which could lead to system crash. They were correctly trapped for normal mmap() calls, but not for the kernel internal calls generated by executable loading. This code just moves the architecture-specific cross-region checks into an arch-specific "arch_mmap_check()" macro, and defines that for the architectures that needed it (ia64, sparc and sparc64). Architectures that don't have any special requirements can just ignore the new cross-region check, since the mmap() code will just notice on its own when the macro isn't defined. Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Kirill Korotaev <dev@openvz.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> [ Cleaned up to not affect architectures that don't need it ] Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: Kirill Korotaev <dev@openvz.org> 2006-09-07 06:17:04 -0400
committer: Linus Torvalds <torvalds@g5.osdl.org> 2006-09-08 11:40:46 -0400
commit: 3a459756810912d2c2bf188cef566af255936b4d (patch)
tree: 1b52d90a2412811ebf5078b4f55112864e1890df /mm/mmap.c
parent: 10387e5eb45c6e48d67102b88229f5bc6037461c (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/mm/mmap.c b/mm/mmap.c
index c1868ecdbc5f..e66a0b524aff 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -30,6 +30,10 @@
 #include <asm/cacheflush.h>
 #include <asm/tlb.h>
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags)       (0)
+#endif
 static void unmap_region(struct mm_struct *mm,
                struct vm_area_struct *vma, struct vm_area_struct *prev,
                unsigned long start, unsigned long end);
@@ -913,6 +917,10 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
        if (!len)
                return -EINVAL;
+        error = arch_mmap_check(addr, len, flags);
+        if (error)
+                return error;
        /* Careful about overflows.. */
        len = PAGE_ALIGN(len);
        if (!len || len > TASK_SIZE)
@@ -1859,6 +1867,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
        unsigned long flags;
        struct rb_node ** rb_link, * rb_parent;
        pgoff_t pgoff = addr >> PAGE_SHIFT;
+        int error;
        len = PAGE_ALIGN(len);
        if (!len)
@@ -1867,6 +1876,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
        if ((addr + len) > TASK_SIZE || (addr + len) < addr)
                return -EINVAL;
+        flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+        error = arch_mmap_check(addr, len, flags);
+        if (error)
+                return error;
        /*
         * mlock MCL_FUTURE?
         */
@@ -1907,8 +1922,6 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
        if (security_vm_enough_memory(len >> PAGE_SHIFT))
                return -ENOMEM;
-        flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
        /* Can we just expand an old private anonymous mapping? */
        if (vma_merge(mm, prev, addr, addr + len, flags,
                                        NULL, NULL, pgoff, NULL))
author	Kirill Korotaev <dev@openvz.org>	2006-09-07 06:17:04 -0400
committer	Linus Torvalds <torvalds@g5.osdl.org>	2006-09-08 11:40:46 -0400
commit	3a459756810912d2c2bf188cef566af255936b4d (patch)
tree	1b52d90a2412811ebf5078b4f55112864e1890df /mm/mmap.c
parent	10387e5eb45c6e48d67102b88229f5bc6037461c (diff)