aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Litke <agl@us.ibm.com>2007-10-19 19:05:10 +0200
committerAdrian Bunk <bunk@kernel.org>2007-10-19 19:05:10 +0200
commit2c70c535915f621fe51508076804b4575171a23d (patch)
tree6160dacf53faaba579478790c2d5643579706c30
parentc19b3d848a376abb057d6c80788f424e4c565223 (diff)
Don't allow the stack to grow into hugetlb reserved regions (CVE-2007-3739)
When expanding the stack, we don't currently check if the VMA will cross into an area of the address space that is reserved for hugetlb pages. Subsequent faults on the expanded portion of such a VMA will confuse the low-level MMU code, resulting in an OOPS. Check for this. Signed-off-by: Adam Litke <agl@us.ibm.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
-rw-r--r--mm/mmap.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/mm/mmap.c b/mm/mmap.c
index fba355c0652..f2ac461a357 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1460,6 +1460,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
{
struct mm_struct *mm = vma->vm_mm;
struct rlimit *rlim = current->signal->rlim;
+ unsigned long new_start;
/* address space limit tests */
if (!may_expand_vm(mm, grow))
@@ -1479,6 +1480,12 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
return -ENOMEM;
}
+ /* Check to ensure the stack will not grow into a hugetlb-only region */
+ new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
+ vma->vm_end - size;
+ if (is_hugepage_only_range(vma->vm_mm, new_start, size))
+ return -EFAULT;
+
/*
* Overcommit.. This must be the final test, as it will
* update security statistics.