Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
mm: avoid wrapping vm_pgoff in mremap()
The normal mmap paths all avoid creating a mapping where the pgoff
inside the mapping could wrap around due to overflow. However, an
expanding mremap() can take such a non-wrapping mapping and make it
bigger and cause a wrapping condition.
Noticed by Robert Swiecki when running a system call fuzzer, where it
caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A
vma dumping patch by Hugh then pinpointed the crazy wrapped case.
Reported-and-tested-by: Robert Swiecki <robert@swiecki.net>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+9
-2
+9
-2
mm/mremap.c
+9
-2
mm/mremap.c
···
277
277
if (old_len > vma->vm_end - addr)
278
278
goto Efault;
279
279
280
-
if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
281
-
if (new_len > old_len)
280
+
/* Need to be careful about a growing mapping */
281
+
if (new_len > old_len) {
282
+
unsigned long pgoff;
283
+
284
+
if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
282
285
goto Efault;
286
+
pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
287
+
pgoff += vma->vm_pgoff;
288
+
if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
289
+
goto Einval;
283
290
}
284
291
285
292
if (vma->vm_flags & VM_LOCKED) {