[RFC PATCH 0/6] Check length of unmapped area on MAP_FIXED

[RFC PATCH 0/6] Check length of unmapped area on MAP_FIXED

[Liam Howlett]

RFC because the patches are not well tested.  I've not triggered the
issue these patches fix, but have compile tested arm, sh, and sparc64
using the default config.  Please test the patches before accepting them
on your arch.

arc, arm, nds32, sparc32 and sparc64 do not check the size of the
requested MAP_FIXED before returning the address.  It appears this issue
was cloned across various architectures and, in some cases, affects both
bottom up and top down searches.  This set of patches aligns all
platforms and search directions to check the size of a MAP_FIXED
request before returning the fixed address.

Liam R. Howlett (6):
  ARC: mm/mmap.c: Check length of unmapped area before allowing
    MAP_FIXED
  [ARM] mm/mmap.c: Check length of unmapped area before allowing
    MAP_FIXED
  nds32/mm/mmap.c: Check length of unmapped area before allowing
    MAP_FIXED
  sh/mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED
  sys_sparc_32.c: Check length of unmapped area before allowing
    MAP_FIXED
  sys_sparc_64.c: Check length of unmapped area before allowing
    MAP_FIXED

 arch/arc/mm/mmap.c               |  6 +++---
 arch/arm/mm/mmap.c               |  6 +++---
 arch/nds32/mm/mmap.c             |  6 +++---
 arch/sh/mm/mmap.c                | 12 ++++++------
 arch/sparc/kernel/sys_sparc_32.c |  7 ++++---
 arch/sparc/kernel/sys_sparc_64.c | 16 ++++++++--------
 6 files changed, 27 insertions(+), 26 deletions(-)

-- 
2.30.2

[RFC PATCH 1/6] ARC: mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() could potentially allow a larger than possible
length when using the MAP_FIXED flag.  The bound check should come
before the check for MAP_FIXED.

Fixes: 5bba49f5397c (ARC: [mm] Aliasing VIPT dcache support 4/4)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/arc/mm/mmap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arc/mm/mmap.c b/arch/arc/mm/mmap.c
index 722d26b94307..1d7076406c4e 100644
--- a/arch/arc/mm/mmap.c
+++ b/arch/arc/mm/mmap.c
@@ -35,6 +35,9 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 	int aliasing = cache_is_vipt_aliasing();
 	struct vm_unmapped_area_info info;
 
+	if (len > TASK_SIZE)
+		return -ENOMEM;
+
 	/*
 	 * We only need to do colour alignment if D cache aliases.
 	 */
@@ -51,9 +54,6 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (len > TASK_SIZE)
-		return -ENOMEM;
-
 	if (addr) {
 		if (do_align)
 			addr = COLOUR_ALIGN(addr, pgoff);
-- 
2.30.2

[RFC PATCH 2/6] [ARM] mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() could potentially allow a larger than possible
length when using the MAP_FIXED flag.  The bound check should come
before the check for MAP_FIXED.

Fixes: 4fbe66759b2a ([ARM] Fix shared mmap()ings for ARM VIPT caches.)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/arm/mm/mmap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index a0f8a0ca0788..cb135556ce36 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -36,6 +36,9 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 	int aliasing = cache_is_vipt_aliasing();
 	struct vm_unmapped_area_info info;
 
+	if (len > TASK_SIZE)
+		return -ENOMEM;
+
 	/*
 	 * We only need to do colour alignment if either the I or D
 	 * caches alias.
@@ -53,9 +56,6 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (len > TASK_SIZE)
-		return -ENOMEM;
-
 	if (addr) {
 		if (do_align)
 			addr = COLOUR_ALIGN(addr, pgoff);
-- 
2.30.2

[RFC PATCH 5/6] sys_sparc_32.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() could potentially allow a larger than possible
length when using the MAP_FIXED flag.  The bound check should come
before the check for MAP_FIXED.

Fixes: ca56c8ee6fa0 (v2.4.3.2 -> v2.4.3.3)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/sparc/kernel/sys_sparc_32.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
index 082a551897ed..2e0e35420fa3 100644
--- a/arch/sparc/kernel/sys_sparc_32.c
+++ b/arch/sparc/kernel/sys_sparc_32.c
@@ -43,6 +43,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
 {
 	struct vm_unmapped_area_info info;
 
+	/* See asm-sparc/uaccess.h */
+	if (len > TASK_SIZE - PAGE_SIZE)
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -53,9 +57,6 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
 		return addr;
 	}
 
-	/* See asm-sparc/uaccess.h */
-	if (len > TASK_SIZE - PAGE_SIZE)
-		return -ENOMEM;
 	if (!addr)
 		addr = TASK_UNMAPPED_BASE;
 
-- 
2.30.2

[RFC PATCH 4/6] sh/mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() and arch_get_unmapped_area_topdown() could
potentially allow a larger than possible length when using the MAP_FIXED
flag.  The bound check should come before the check for MAP_FIXED.

Fixes: 2cd841c0b3a8 (v2.4.9.5 -> v2.4.9.6)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/sh/mm/mmap.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
index 6a1a1297baae..3d46c475198d 100644
--- a/arch/sh/mm/mmap.c
+++ b/arch/sh/mm/mmap.c
@@ -39,6 +39,9 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
 	int do_colour_align;
 	struct vm_unmapped_area_info info;
 
+	if (unlikely(len > TASK_SIZE))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -49,9 +52,6 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (unlikely(len > TASK_SIZE))
-		return -ENOMEM;
-
 	do_colour_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_colour_align = 1;
@@ -88,6 +88,9 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	int do_colour_align;
 	struct vm_unmapped_area_info info;
 
+	if (unlikely(len > TASK_SIZE))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -98,9 +101,6 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 		return addr;
 	}
 
-	if (unlikely(len > TASK_SIZE))
-		return -ENOMEM;
-
 	do_colour_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_colour_align = 1;
-- 
2.30.2

[RFC PATCH 3/6] nds32/mm/mmap.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() could potentially allow a larger than possible
length when using the MAP_FIXED flag.  The bound check should come
before the check for MAP_FIXED.

Fixes: 664eec400bf8 (nds32: MMU fault handling and page table
management)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/nds32/mm/mmap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/nds32/mm/mmap.c b/arch/nds32/mm/mmap.c
index 1bdf5e7d1b43..1bc5a82ac3d3 100644
--- a/arch/nds32/mm/mmap.c
+++ b/arch/nds32/mm/mmap.c
@@ -31,6 +31,9 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 	if(IS_ENABLED(CONFIG_CPU_CACHE_ALIASING))
 		aliasing = 1;
 
+	if (len > TASK_SIZE)
+		return -ENOMEM;
+
 	/*
 	 * We only need to do colour alignment if either the I or D
 	 * caches alias.
@@ -48,9 +51,6 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
 		return addr;
 	}
 
-	if (len > TASK_SIZE)
-		return -ENOMEM;
-
 	if (addr) {
 		if (do_align)
 			addr = COLOUR_ALIGN(addr, pgoff);
-- 
2.30.2

[RFC PATCH 6/6] sys_sparc_64.c: Check length of unmapped area before allowing MAP_FIXED

[Liam Howlett]

arch_get_unmapped_area() and arch_get_unmapped_area_topdown() could
potentially allow a larger than possible length when using the MAP_FIXED
flag.  The bound check should come before the check for MAP_FIXED.

Fixes: ca56c8ee6fa0 (v2.4.3.2 -> v2.4.3.3)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 arch/sparc/kernel/sys_sparc_64.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
index 1e9a9e016237..4ca7f9c18c54 100644
--- a/arch/sparc/kernel/sys_sparc_64.c
+++ b/arch/sparc/kernel/sys_sparc_64.c
@@ -95,6 +95,11 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
 	int do_color_align;
 	struct vm_unmapped_area_info info;
 
+	if (test_thread_flag(TIF_32BIT))
+		task_size = STACK_TOP32;
+	if (unlikely(len > task_size || len >= VA_EXCLUDE_START))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -105,11 +110,6 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
 		return addr;
 	}
 
-	if (test_thread_flag(TIF_32BIT))
-		task_size = STACK_TOP32;
-	if (unlikely(len > task_size || len >= VA_EXCLUDE_START))
-		return -ENOMEM;
-
 	do_color_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_color_align = 1;
@@ -159,6 +159,9 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	/* This should only ever run for 32-bit processes.  */
 	BUG_ON(!test_thread_flag(TIF_32BIT));
 
+	if (unlikely(len > task_size))
+		return -ENOMEM;
+
 	if (flags & MAP_FIXED) {
 		/* We do not accept a shared mapping if it would violate
 		 * cache aliasing constraints.
@@ -169,9 +172,6 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 		return addr;
 	}
 
-	if (unlikely(len > task_size))
-		return -ENOMEM;
-
 	do_color_align = 0;
 	if (filp || (flags & MAP_SHARED))
 		do_color_align = 1;
-- 
2.30.2