[patch] add BUG call to overlapping vma fix

[patch] add BUG call to overlapping vma fix

[Jason Baron]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 455 bytes --]


hi,

It seems that in ia64_elf32_init, instead of calling return, if we insert
an overlapping vma, we should instead BUG(). We should never get into this
code path, because the vma's are set above PAGE_OFFSET, and thus a
Xmalicious user can not trigger this code path. This change is being
suggested mainly for clarity. Thanks to Stephen Tweedie for pointing out
that returning early in ia64_elf32_init could have unpredictable results.

thanks,

-Jason

[-- Attachment #2: overlapping vma BUG() addition --]
[-- Type: TEXT/PLAIN, Size: 943 bytes --]

--- linux/arch/ia64/ia32/binfmt_elf32.c.bak	Fri Jan 14 11:22:06 2005
+++ linux/arch/ia64/ia32/binfmt_elf32.c	Fri Jan 14 11:23:19 2005
@@ -103,7 +103,7 @@ ia64_elf32_init (struct pt_regs *regs)
 			if (insert_vm_struct(current->mm, vma)) {
 				kmem_cache_free(vm_area_cachep, vma);
 				up_write(&current->mm->mmap_sem);
-				return;
+				BUG();
 			}
 		}
 		up_write(&current->mm->mmap_sem);
@@ -130,7 +130,7 @@ ia64_elf32_init (struct pt_regs *regs)
 			if (insert_vm_struct(current->mm, vma)) {
 				kmem_cache_free(vm_area_cachep, vma);
 				up_write(&current->mm->mmap_sem);
-				return;
+				BUG();
 			}
 		}
 		up_write(&current->mm->mmap_sem);
@@ -153,7 +153,7 @@ ia64_elf32_init (struct pt_regs *regs)
 			if (insert_vm_struct(current->mm, vma)) {
 				kmem_cache_free(vm_area_cachep, vma);
 				up_write(&current->mm->mmap_sem);
-				return;
+				BUG();
 			}
 		}
 		up_write(&current->mm->mmap_sem);

Re: [patch] add BUG call to overlapping vma fix

[Arun Sharma]

On 1/14/2005 8:52 AM, Jason Baron wrote:
> hi,
> 
> It seems that in ia64_elf32_init, instead of calling return, if we insert
> an overlapping vma, we should instead BUG(). We should never get into this
> code path, because the vma's are set above PAGE_OFFSET, and thus a
> Xmalicious user can not trigger this code path. This change is being
> suggested mainly for clarity. Thanks to Stephen Tweedie for pointing out
> that returning early in ia64_elf32_init could have unpredictable results.
> 

Couldn't you get rid of a couple of more lines before the BUG()? Otherwise, the patch looks good to me.

	-Arun

Re: [patch] add BUG call to overlapping vma fix

[Jason Baron]

On Fri, 14 Jan 2005, Arun Sharma wrote:

> On 1/14/2005 8:52 AM, Jason Baron wrote:
> > hi,
> > 
> > It seems that in ia64_elf32_init, instead of calling return, if we insert
> > an overlapping vma, we should instead BUG(). We should never get into this
> > code path, because the vma's are set above PAGE_OFFSET, and thus a
> > Xmalicious user can not trigger this code path. This change is being
> > suggested mainly for clarity. Thanks to Stephen Tweedie for pointing out
> > that returning early in ia64_elf32_init could have unpredictable results.
> > 
> 
> Couldn't you get rid of a couple of more lines before the BUG()? Otherwise, the patch looks good to me.
> 
> 	-Arun
> 
> 

It kind of makes sense to free the vma, since its not linked in yet, 
and thus wouldn't be freed up via exit_mm. However, i don't really have a 
strong preference either way

-Jason