From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: WU Fengguang <wfg@mail.ustc.edu.cn>,
Balbir Singh <balbir@linux.vnet.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Paul Moore <paul.moore@hp.com>,
Stephen Smalley <sds@epoch.ncsc.mil>,
Chris Vance <cvance@nai.com>, Wayne Salamon <wsalamon@nai.com>,
James Morris <jmorris@redhat.com>,
dgoeddel@trustedcs.com
Subject: Re: [BUGFIX] NULL pointer dereference in __vm_enough_memory()
Date: Sun, 12 Aug 2007 20:21:43 +0400 [thread overview]
Message-ID: <20070812162143.GA7202@cvg> (raw)
In-Reply-To: <20070812161744.200d4252@the-village.bc.nu>
[Alan Cox - Sun, Aug 12, 2007 at 04:17:44PM +0100]
| Try this (it compiles but isnt tested). Its a weekend here, the sun is
| shining, the beach is a short walk, and I have more interesting things to
| do right now 8)
|
|
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/include/linux/mm.h linux-2.6.23rc1-mm1/include/linux/mm.h
| --- linux.vanilla-2.6.23rc1-mm1/include/linux/mm.h 2007-07-26 15:02:58.000000000 +0100
| +++ linux-2.6.23rc1-mm1/include/linux/mm.h 2007-08-12 13:54:24.614647536 +0100
| @@ -1079,7 +1079,7 @@
| }
|
| /* mmap.c */
| -extern int __vm_enough_memory(long pages, int cap_sys_admin);
| +extern int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin);
| extern void vma_adjust(struct vm_area_struct *vma, unsigned long start,
| unsigned long end, pgoff_t pgoff, struct vm_area_struct *insert);
| extern struct vm_area_struct *vma_merge(struct mm_struct *,
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/include/linux/security.h linux-2.6.23rc1-mm1/include/linux/security.h
| --- linux.vanilla-2.6.23rc1-mm1/include/linux/security.h 2007-07-26 15:02:58.000000000 +0100
| +++ linux-2.6.23rc1-mm1/include/linux/security.h 2007-08-12 14:13:10.383504656 +0100
| @@ -58,7 +58,7 @@
| extern int cap_task_setioprio (struct task_struct *p, int ioprio);
| extern int cap_task_setnice (struct task_struct *p, int nice);
| extern int cap_syslog (int type);
| -extern int cap_vm_enough_memory (long pages);
| +extern int cap_vm_enough_memory (struct mm_struct *mm, long pages);
|
| struct msghdr;
| struct sk_buff;
| @@ -1129,6 +1129,7 @@
| * Return 0 if permission is granted.
| * @vm_enough_memory:
| * Check permissions for allocating a new virtual mapping.
| + * @mm contains the mm struct it is being added to.
| * @pages contains the number of pages.
| * Return 0 if permission is granted.
| *
| @@ -1173,7 +1174,7 @@
| int (*quota_on) (struct dentry * dentry);
| int (*syslog) (int type);
| int (*settime) (struct timespec *ts, struct timezone *tz);
| - int (*vm_enough_memory) (long pages);
| + int (*vm_enough_memory) (struct mm_struct *mm, long pages);
|
| int (*bprm_alloc_security) (struct linux_binprm * bprm);
| void (*bprm_free_security) (struct linux_binprm * bprm);
| @@ -1439,6 +1440,7 @@
| int security_syslog(int type);
| int security_settime(struct timespec *ts, struct timezone *tz);
| int security_vm_enough_memory(long pages);
| +int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
| int security_bprm_alloc(struct linux_binprm *bprm);
| void security_bprm_free(struct linux_binprm *bprm);
| void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/mm/mmap.c linux-2.6.23rc1-mm1/mm/mmap.c
| --- linux.vanilla-2.6.23rc1-mm1/mm/mmap.c 2007-07-26 15:02:58.000000000 +0100
| +++ linux-2.6.23rc1-mm1/mm/mmap.c 2007-08-12 13:53:22.000000000 +0100
| @@ -93,7 +93,7 @@
| * Note this is a helper function intended to be used by LSMs which
| * wish to use this logic.
| */
| -int __vm_enough_memory(long pages, int cap_sys_admin)
| +int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
| {
| unsigned long free, allowed;
|
| @@ -166,7 +166,7 @@
|
| /* Don't let a single process grow too big:
| leave 3% of the size of this process for other processes */
| - allowed -= current->mm->total_vm / 32;
| + allowed -= mm->total_vm / 32;
So mm->total_vm is 0 for __bprm_mm_init case. Is that ok? Or I miss
something?
|
| /*
| * cast `allowed' as a signed long because vm_committed_space
| @@ -2058,7 +2058,7 @@
| if (__vma && __vma->vm_start < vma->vm_end)
| return -ENOMEM;
| if ((vma->vm_flags & VM_ACCOUNT) &&
| - security_vm_enough_memory(vma_pages(vma)))
| + security_vm_enough_memory_mm(mm, vma_pages(vma)))
| return -ENOMEM;
| vma_link(mm, vma, prev, rb_link, rb_parent);
| return 0;
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/mm/nommu.c linux-2.6.23rc1-mm1/mm/nommu.c
| --- linux.vanilla-2.6.23rc1-mm1/mm/nommu.c 2007-07-26 15:02:08.000000000 +0100
| +++ linux-2.6.23rc1-mm1/mm/nommu.c 2007-08-12 13:53:57.000000000 +0100
| @@ -1270,7 +1270,7 @@
| * Note this is a helper function intended to be used by LSMs which
| * wish to use this logic.
| */
| -int __vm_enough_memory(long pages, int cap_sys_admin)
| +int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
| {
| unsigned long free, allowed;
|
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/security/commoncap.c linux-2.6.23rc1-mm1/security/commoncap.c
| --- linux.vanilla-2.6.23rc1-mm1/security/commoncap.c 2007-07-26 15:02:59.000000000 +0100
| +++ linux-2.6.23rc1-mm1/security/commoncap.c 2007-08-12 14:13:29.000000000 +0100
| @@ -489,13 +489,13 @@
| return 0;
| }
|
| -int cap_vm_enough_memory(long pages)
| +int cap_vm_enough_memory(struct mm_struct *mm, long pages)
| {
| int cap_sys_admin = 0;
|
| if (cap_capable(current, CAP_SYS_ADMIN) == 0)
| cap_sys_admin = 1;
| - return __vm_enough_memory(pages, cap_sys_admin);
| + return __vm_enough_memory(mm, pages, cap_sys_admin);
| }
|
| EXPORT_SYMBOL(cap_capable);
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/security/dummy.c linux-2.6.23rc1-mm1/security/dummy.c
| --- linux.vanilla-2.6.23rc1-mm1/security/dummy.c 2007-07-26 15:02:59.000000000 +0100
| +++ linux-2.6.23rc1-mm1/security/dummy.c 2007-08-12 14:10:49.000000000 +0100
| @@ -107,13 +107,13 @@
| return 0;
| }
|
| -static int dummy_vm_enough_memory(long pages)
| +static int dummy_vm_enough_memory(struct mm_struct *mm, long pages)
| {
| int cap_sys_admin = 0;
|
| if (dummy_capable(current, CAP_SYS_ADMIN) == 0)
| cap_sys_admin = 1;
| - return __vm_enough_memory(pages, cap_sys_admin);
| + return __vm_enough_memory(mm, pages, cap_sys_admin);
| }
|
| static int dummy_bprm_alloc_security (struct linux_binprm *bprm)
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/security/security.c linux-2.6.23rc1-mm1/security/security.c
| --- linux.vanilla-2.6.23rc1-mm1/security/security.c 2007-07-26 15:02:59.000000000 +0100
| +++ linux-2.6.23rc1-mm1/security/security.c 2007-08-12 13:47:53.000000000 +0100
| @@ -237,10 +237,14 @@
| return security_ops->settime(ts, tz);
| }
|
| -
| int security_vm_enough_memory(long pages)
| {
| - return security_ops->vm_enough_memory(pages);
| + return security_ops->vm_enough_memory(current->mm, pages);
| +}
| +
| +int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
| +{
| + return security_ops->vm_enough_memory(mm, pages);
| }
|
| int security_bprm_alloc(struct linux_binprm *bprm)
| diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla-2.6.23rc1-mm1/security/selinux/hooks.c linux-2.6.23rc1-mm1/security/selinux/hooks.c
| --- linux.vanilla-2.6.23rc1-mm1/security/selinux/hooks.c 2007-07-26 15:02:59.000000000 +0100
| +++ linux-2.6.23rc1-mm1/security/selinux/hooks.c 2007-08-12 14:11:21.000000000 +0100
| @@ -1584,7 +1584,7 @@
| * Do not audit the selinux permission check, as this is applied to all
| * processes that allocate mappings.
| */
| -static int selinux_vm_enough_memory(long pages)
| +static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
| {
| int rc, cap_sys_admin = 0;
| struct task_security_struct *tsec = current->security;
| @@ -1600,7 +1600,7 @@
| if (rc == 0)
| cap_sys_admin = 1;
|
| - return __vm_enough_memory(pages, cap_sys_admin);
| + return __vm_enough_memory(mm, pages, cap_sys_admin);
| }
|
| /* binprm security operations */
Cyrill
next prev parent reply other threads:[~2007-08-12 16:22 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <46BEF5C0.3080902@linux.vnet.ibm.com>
[not found] ` <20070812120902.GA9972@mail.ustc.edu.cn>
2007-08-12 12:27 ` [BUGFIX] NULL pointer dereference in __vm_enough_memory() WU Fengguang
2007-08-12 12:27 ` WU Fengguang
2007-08-12 13:19 ` Alan Cox
2007-08-12 14:09 ` WU Fengguang
2007-08-12 14:09 ` WU Fengguang
2007-08-12 15:17 ` Alan Cox
2007-08-12 16:21 ` Cyrill Gorcunov [this message]
2007-08-13 0:23 ` WU Fengguang
2007-08-13 0:23 ` WU Fengguang
2007-08-13 9:53 ` Cyrill Gorcunov
2007-08-13 11:22 ` Alan Cox
2007-08-13 11:55 ` Cyrill Gorcunov
2007-08-13 0:14 ` Rene Herman
2007-08-13 7:38 ` WU Fengguang
2007-08-13 7:38 ` WU Fengguang
2007-08-13 13:01 ` [PATCH] fix " Alan Cox
2007-08-14 5:01 ` Andrew Morton
2007-08-14 17:50 ` Tobias Diedrich
2007-08-14 17:10 ` [BUGFIX] " Andy Isaacson
2007-08-15 8:53 ` WU Fengguang
2007-08-15 8:53 ` WU Fengguang
2007-08-11 13:21 Fengguang Wu
2007-08-11 13:21 ` Fengguang Wu
2007-08-11 14:30 ` Balbir Singh
2007-08-11 17:00 ` Andrew Morton
2007-08-11 18:01 ` Balbir Singh
2007-08-11 18:13 ` Cyrill Gorcunov
2007-08-12 5:48 ` WU Fengguang
2007-08-12 5:48 ` WU Fengguang
2007-08-12 8:58 ` WU Fengguang
2007-08-12 8:58 ` WU Fengguang
2007-08-12 9:25 ` Balbir Singh
2007-08-12 12:23 ` Cyrill Gorcunov
2007-08-12 5:46 ` WU Fengguang
2007-08-12 5:46 ` WU Fengguang
2007-08-11 14:17 ` Cyrill Gorcunov
2007-08-12 5:29 ` Fengguang Wu
2007-08-12 5:29 ` Fengguang Wu
2007-08-12 5:45 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070812162143.GA7202@cvg \
--to=gorcunov@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=balbir@linux.vnet.ibm.com \
--cc=cvance@nai.com \
--cc=dgoeddel@trustedcs.com \
--cc=jmorris@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=sds@epoch.ncsc.mil \
--cc=wfg@mail.ustc.edu.cn \
--cc=wsalamon@nai.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.