* [PATCH RESEND 0/2] mm/mmap: check mapping address limits more strictly
@ 2020-04-14 15:08 Alexander Gordeev
2020-04-14 15:08 ` [PATCH RESEND 1/2] mm/mmap.c: add more sanity checks to get_unmapped_area() Alexander Gordeev
2020-04-14 15:08 ` [PATCH RESEND 2/2] mm/mmap.c: deny fixed mappings outside of allowed limits Alexander Gordeev
0 siblings, 2 replies; 3+ messages in thread
From: Alexander Gordeev @ 2020-04-14 15:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Alexander Gordeev, linux-mm
The series is against linux-next
CC: linux-mm@kvack.org
Alexander Gordeev (2):
mm/mmap.c: add more sanity checks to get_unmapped_area()
mm/mmap.c: deny fixed mappings outside of allowed limits
mm/mmap.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH RESEND 1/2] mm/mmap.c: add more sanity checks to get_unmapped_area()
2020-04-14 15:08 [PATCH RESEND 0/2] mm/mmap: check mapping address limits more strictly Alexander Gordeev
@ 2020-04-14 15:08 ` Alexander Gordeev
2020-04-14 15:08 ` [PATCH RESEND 2/2] mm/mmap.c: deny fixed mappings outside of allowed limits Alexander Gordeev
1 sibling, 0 replies; 3+ messages in thread
From: Alexander Gordeev @ 2020-04-14 15:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Alexander Gordeev, linux-mm
Generic get_unmapped_area() function does sanity checks
of address and length of the area to be mapped. Yet, it
lacks checking against mmap_min_addr and mmap_end limits.
At the same time the default implementation of functions
arch_get_unmapped_area[_topdown]() and some architecture
callbacks do mmap_min_addr and mmap_end checks on its own.
Put additional checks into the generic code and do not let
architecture callbacks to get away with a possible area
outside of the allowed limits.
That could also relieve arch_get_unmapped_area[_topdown]()
callbacks of own address and length sanity checks.
CC: linux-mm@kvack.org
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
---
mm/mmap.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index 0681bd5..5b22d47 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2208,12 +2208,13 @@ unsigned long vm_unmapped_area(struct vm_unmapped_area_info *info)
unsigned long (*get_area)(struct file *, unsigned long,
unsigned long, unsigned long, unsigned long);
+ const unsigned long mmap_end = arch_get_mmap_end(addr);
unsigned long error = arch_mmap_check(addr, len, flags);
if (error)
return error;
/* Careful about overflows.. */
- if (len > TASK_SIZE)
+ if (len > mmap_end - mmap_min_addr)
return -ENOMEM;
get_area = current->mm->get_unmapped_area;
@@ -2234,7 +2235,7 @@ unsigned long vm_unmapped_area(struct vm_unmapped_area_info *info)
if (IS_ERR_VALUE(addr))
return addr;
- if (addr > TASK_SIZE - len)
+ if ((addr < mmap_min_addr) || (addr > mmap_end - len))
return -ENOMEM;
if (offset_in_page(addr))
return -EINVAL;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH RESEND 2/2] mm/mmap.c: deny fixed mappings outside of allowed limits
2020-04-14 15:08 [PATCH RESEND 0/2] mm/mmap: check mapping address limits more strictly Alexander Gordeev
2020-04-14 15:08 ` [PATCH RESEND 1/2] mm/mmap.c: add more sanity checks to get_unmapped_area() Alexander Gordeev
@ 2020-04-14 15:08 ` Alexander Gordeev
1 sibling, 0 replies; 3+ messages in thread
From: Alexander Gordeev @ 2020-04-14 15:08 UTC (permalink / raw)
To: linux-kernel; +Cc: Alexander Gordeev, linux-mm
It is possible to request a fixed mapping address below
mmap_min_addr and succeed. This update adds early checks
of mmap_min_addr and mmap_end boundaries and fixes the
above issue.
CC: linux-mm@kvack.org
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
---
mm/mmap.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index 5b22d47..9a16e25 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -62,6 +62,14 @@
#define arch_mmap_check(addr, len, flags) (0)
#endif
+#ifndef arch_get_mmap_end
+#define arch_get_mmap_end(addr) (TASK_SIZE)
+#endif
+
+#ifndef arch_get_mmap_base
+#define arch_get_mmap_base(addr, base) (base)
+#endif
+
#ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
const int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
const int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
@@ -1369,6 +1377,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
unsigned long pgoff, unsigned long *populate,
struct list_head *uf)
{
+ const unsigned long mmap_end = arch_get_mmap_end(addr);
struct mm_struct *mm = current->mm;
int pkey = 0;
@@ -1391,8 +1400,12 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
if (flags & MAP_FIXED_NOREPLACE)
flags |= MAP_FIXED;
- if (!(flags & MAP_FIXED))
+ if (flags & MAP_FIXED) {
+ if ((addr < mmap_min_addr) || (addr > mmap_end))
+ return -ENOMEM;
+ } else {
addr = round_hint_to_min(addr);
+ }
/* Careful about overflows.. */
len = PAGE_ALIGN(len);
@@ -2089,14 +2102,6 @@ unsigned long vm_unmapped_area(struct vm_unmapped_area_info *info)
return addr;
}
-#ifndef arch_get_mmap_end
-#define arch_get_mmap_end(addr) (TASK_SIZE)
-#endif
-
-#ifndef arch_get_mmap_base
-#define arch_get_mmap_base(addr, base) (base)
-#endif
-
/* Get an address range which is currently unmapped.
* For shmat() with addr=0.
*
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-14 15:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-14 15:08 [PATCH RESEND 0/2] mm/mmap: check mapping address limits more strictly Alexander Gordeev
2020-04-14 15:08 ` [PATCH RESEND 1/2] mm/mmap.c: add more sanity checks to get_unmapped_area() Alexander Gordeev
2020-04-14 15:08 ` [PATCH RESEND 2/2] mm/mmap.c: deny fixed mappings outside of allowed limits Alexander Gordeev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.