tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

mm: enforce min addr even if capable() in expand_downwards()

security_mmap_addr() does a capability check with current_cred(), but
we can reach this code from contexts like a VFS write handler where
current_cred() must not be used.

This can be abused on systems without SMAP to make NULL pointer
dereferences exploitable again.

Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Jann Horn and committed by
Linus Torvalds 0a1d5299 7d762d69

+3 -4
+3 -4
mm/mmap.c
··· 2426 2426 { 2427 2427 struct mm_struct *mm = vma->vm_mm; 2428 2428 struct vm_area_struct *prev; 2429 - int error; 2429 + int error = 0; 2430 2430 2431 2431 address &= PAGE_MASK; 2432 - error = security_mmap_addr(address); 2433 - if (error) 2434 - return error; 2432 + if (address < mmap_min_addr) 2433 + return -EPERM; 2435 2434 2436 2435 /* Enforce stack_guard_gap */ 2437 2436 prev = vma->vm_prev;