From 8869477a49c3e99def1fcdadd6bbc407fea14b45 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 26 Nov 2007 18:47:26 -0500 Subject: security: protect from stack expantion into low vm addresses Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris Signed-off-by: James Morris --- mm/mmap.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'mm') diff --git a/mm/mmap.c b/mm/mmap.c index facc1a75bd4f..938313c76d02 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1615,6 +1615,12 @@ static inline int expand_downwards(struct vm_area_struct *vma, */ if (unlikely(anon_vma_prepare(vma))) return -ENOMEM; + + address &= PAGE_MASK; + error = security_file_mmap(0, 0, 0, 0, address, 1); + if (error) + return error; + anon_vma_lock(vma); /* @@ -1622,8 +1628,6 @@ static inline int expand_downwards(struct vm_area_struct *vma, * is required to hold the mmap_sem in read mode. We need the * anon_vma lock to serialize against concurrent expand_stacks. */ - address &= PAGE_MASK; - error = 0; /* Somebody else might have raced and expanded it already */ if (address < vma->vm_start) { -- cgit v1.2.3 From 7cd94146cd504016315608e297219f9fb7b1413b Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 26 Nov 2007 18:47:40 -0500 Subject: Security: round mmap hint address above mmap_min_addr If mmap_min_addr is set and a process attempts to mmap (not fixed) with a non-null hint address less than mmap_min_addr the mapping will fail the security checks. Since this is just a hint address this patch will round such a hint address above mmap_min_addr. gcj was found to try to be very frugal with vm usage and give hint addresses in the 8k-32k range. Without this patch all such programs failed and with the patch they happily get a higher address. This patch is wrappad in CONFIG_SECURITY since mmap_min_addr doesn't exist without it and there would be no security check possible no matter what. So we should not bother compiling in this rounding if it is just a waste of time. Signed-off-by: Eric Paris Signed-off-by: James Morris --- include/linux/mm.h | 16 ++++++++++++++++ mm/mmap.c | 3 +++ mm/nommu.c | 3 +++ 3 files changed, 22 insertions(+) (limited to 'mm') diff --git a/include/linux/mm.h b/include/linux/mm.h index 520238cbae5d..1b7b95c67aca 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -12,6 +12,7 @@ #include #include #include +#include struct mempolicy; struct anon_vma; @@ -512,6 +513,21 @@ static inline void set_page_links(struct page *page, enum zone_type zone, set_page_section(page, pfn_to_section_nr(pfn)); } +/* + * If a hint addr is less than mmap_min_addr change hint to be as + * low as possible but still greater than mmap_min_addr + */ +static inline unsigned long round_hint_to_min(unsigned long hint) +{ +#ifdef CONFIG_SECURITY + hint &= PAGE_MASK; + if (((void *)hint != NULL) && + (hint < mmap_min_addr)) + return PAGE_ALIGN(mmap_min_addr); +#endif + return hint; +} + /* * Some inline functions in vmstat.h depend on page_zone() */ diff --git a/mm/mmap.c b/mm/mmap.c index 938313c76d02..f4cfc6ac08db 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -912,6 +912,9 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr, if (!len) return -EINVAL; + if (!(flags & MAP_FIXED)) + addr = round_hint_to_min(addr); + error = arch_mmap_check(addr, len, flags); if (error) return error; diff --git a/mm/nommu.c b/mm/nommu.c index 35622c590925..b989cb928a7c 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -829,6 +829,9 @@ unsigned long do_mmap_pgoff(struct file *file, void *result; int ret; + if (!(flags & MAP_FIXED)) + addr = round_hint_to_min(addr); + /* decide whether we should attempt the mapping, and if so what sort of * mapping */ ret = validate_mmap_request(file, addr, len, prot, flags, pgoff, -- cgit v1.2.3 From 5a211a5deabcafdc764817d5b4510c767d317ddc Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 4 Dec 2007 11:06:55 -0500 Subject: VM/Security: add security hook to do_brk Given a specifically crafted binary do_brk() can be used to get low pages available in userspace virtually memory and can thus be used to circumvent the mmap_min_addr low memory protection. Add security checks in do_brk(). Signed-off-by: Eric Paris Acked-by: Alan Cox Signed-off-by: James Morris --- mm/mmap.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'mm') diff --git a/mm/mmap.c b/mm/mmap.c index f4cfc6ac08db..15678aa6ec73 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1941,6 +1941,10 @@ unsigned long do_brk(unsigned long addr, unsigned long len) if (is_hugepage_only_range(mm, addr, len)) return -EINVAL; + error = security_file_mmap(0, 0, 0, 0, addr, 1); + if (error) + return error; + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; error = arch_mmap_check(addr, len, flags); -- cgit v1.2.3