fix NULL pointer dereference in __vm_enough_memory()

The new exec code inserts an accounted vma into an mm struct which is not current->mm. The existing memory check code has a hard coded assumption that this does not happen as does the security code. As the correct mm is known we pass the mm to the security method and the helper function. A new security test is added for the case where we need to pass the mm and the existing one is modified to pass current->mm to avoid the need to change large amounts of code. (Thanks to Tobias for fixing rejects and testing) Signed-off-by: Alan Cox <alan@redhat.com> Cc: WU Fengguang <wfg@mail.ustc.edu.cn> Cc: James Morris <jmorris@redhat.com> Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Alan Cox <alan@lxorguk.ukuu.org.uk> 2007-08-22 17:01:28 -0400
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-08-22 22:52:45 -0400
commit: 34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7 (patch)
tree: 91d620288f1aaf63c12dc84ca1015465818601f2 /security
parent: afe1ab4d577892822de2c8e803fbfaed6ec44ba3 (diff)
3 files changed, 6 insertions, 6 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 338606eb7238..7520361663e8 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -315,13 +315,13 @@ int cap_syslog (int type)
        return 0;
 }
-int cap_vm_enough_memory(long pages)
+int cap_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int cap_sys_admin = 0;
        if (cap_capable(current, CAP_SYS_ADMIN) == 0)
                cap_sys_admin = 1;
-        return __vm_enough_memory(pages, cap_sys_admin);
+        return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
 EXPORT_SYMBOL(cap_capable);
diff --git a/security/dummy.c b/security/dummy.c
index 19d813d5e083..853ec2292798 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -108,13 +108,13 @@ static int dummy_settime(struct timespec *ts, struct timezone *tz)
        return 0;
 }
-static int dummy_vm_enough_memory(long pages)
+static int dummy_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int cap_sys_admin = 0;
        if (dummy_capable(current, CAP_SYS_ADMIN) == 0)
                cap_sys_admin = 1;
-        return __vm_enough_memory(pages, cap_sys_admin);
+        return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
 static int dummy_bprm_alloc_security (struct linux_binprm *bprm)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6237933f7d82..d8bc4172819c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1584,7 +1584,7 @@ static int selinux_syslog(int type)
 * Do not audit the selinux permission check, as this is applied to all
 * processes that allocate mappings.
 */
-static int selinux_vm_enough_memory(long pages)
+static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
        struct task_security_struct *tsec = current->security;
@@ -1600,7 +1600,7 @@ static int selinux_vm_enough_memory(long pages)
        if (rc == 0)
                cap_sys_admin = 1;
-        return __vm_enough_memory(pages, cap_sys_admin);
+        return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
 /* binprm security operations */
author	Alan Cox <alan@lxorguk.ukuu.org.uk>	2007-08-22 17:01:28 -0400
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-08-22 22:52:45 -0400
commit	34b4e4aa3c470ce8fa2bd78abb1741b4b58baad7 (patch)
tree	91d620288f1aaf63c12dc84ca1015465818601f2 /security
parent	afe1ab4d577892822de2c8e803fbfaed6ec44ba3 (diff)

diff --git a/security/commoncap.c b/security/commoncap.c index 338606eb7238..7520361663e8 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -315,13 +315,13 @@ int cap_syslog (int type)
315	return 0;	315	return 0;
316	}	316	}
317		317
318	int cap_vm_enough_memory(long pages)	318	int cap_vm_enough_memory(struct mm_struct *mm, long pages)
319	{	319	{
320	int cap_sys_admin = 0;	320	int cap_sys_admin = 0;
321		321
322	if (cap_capable(current, CAP_SYS_ADMIN) == 0)	322	if (cap_capable(current, CAP_SYS_ADMIN) == 0)
323	cap_sys_admin = 1;	323	cap_sys_admin = 1;
324	return __vm_enough_memory(pages, cap_sys_admin);	324	return __vm_enough_memory(mm, pages, cap_sys_admin);
325	}	325	}
326		326
327	EXPORT_SYMBOL(cap_capable);	327	EXPORT_SYMBOL(cap_capable);


diff --git a/security/dummy.c b/security/dummy.c index 19d813d5e083..853ec2292798 100644 --- a/security/dummy.c +++ b/security/dummy.c
@@ -108,13 +108,13 @@ static int dummy_settime(struct timespec ts, struct timezone tz)
108	return 0;	108	return 0;
109	}	109	}
110		110
111	static int dummy_vm_enough_memory(long pages)	111	static int dummy_vm_enough_memory(struct mm_struct *mm, long pages)
112	{	112	{
113	int cap_sys_admin = 0;	113	int cap_sys_admin = 0;
114		114
115	if (dummy_capable(current, CAP_SYS_ADMIN) == 0)	115	if (dummy_capable(current, CAP_SYS_ADMIN) == 0)
116	cap_sys_admin = 1;	116	cap_sys_admin = 1;
117	return __vm_enough_memory(pages, cap_sys_admin);	117	return __vm_enough_memory(mm, pages, cap_sys_admin);
118	}	118	}
119		119
120	static int dummy_bprm_alloc_security (struct linux_binprm *bprm)	120	static int dummy_bprm_alloc_security (struct linux_binprm *bprm)


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6237933f7d82..d8bc4172819c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1584,7 +1584,7 @@ static int selinux_syslog(int type)
1584	* Do not audit the selinux permission check, as this is applied to all	1584	* Do not audit the selinux permission check, as this is applied to all
1585	* processes that allocate mappings.	1585	* processes that allocate mappings.
1586	*/	1586	*/
1587	static int selinux_vm_enough_memory(long pages)	1587	static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1588	{	1588	{
1589	int rc, cap_sys_admin = 0;	1589	int rc, cap_sys_admin = 0;
1590	struct task_security_struct *tsec = current->security;	1590	struct task_security_struct *tsec = current->security;
@@ -1600,7 +1600,7 @@ static int selinux_vm_enough_memory(long pages)
1600	if (rc == 0)	1600	if (rc == 0)
1601	cap_sys_admin = 1;	1601	cap_sys_admin = 1;
1602		1602
1603	return __vm_enough_memory(pages, cap_sys_admin);	1603	return __vm_enough_memory(mm, pages, cap_sys_admin);
1604	}	1604	}
1605		1605
1606	/* binprm security operations */	1606	/* binprm security operations */