Message ID | 1318347561-1410-4-git-send-email-paolo.pisati@canonical.com |
---|---|
State | New |
Headers | show |
On Tue, Oct 11, 2011 at 05:39:21PM +0200, Paolo Pisati wrote: > Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed > the case of an expanding mapping causing vm_pgoff wrapping when you had > downward stack expansion. But there was another case where IA64 and > PA-RISC expand mappings: upward expansion. > > This fixes that case too. > > Signed-off-by: Hugh Dickins <hughd@google.com> > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > CVE-2011-2496 > > BugLink: http://bugs.launchpad.net/bugs/869243 > > commit upstream a626ca6a656450e9f4df91d0dda238fff23285f4 This is incorrect, it's the same upstream commit that patch 2 refers to. You're also missing the From line to maintain correct authorship information. > > Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> > --- > mm/mmap.c | 9 ++++++--- > 1 files changed, 6 insertions(+), 3 deletions(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index 1508d86..027108e 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -1735,9 +1735,12 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) > size = address - vma->vm_start; > grow = (address - vma->vm_end) >> PAGE_SHIFT; > > - error = acct_stack_growth(vma, size, grow); > - if (!error) > - vma->vm_end = address; > + error = -ENOMEM; > + if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { > + error = acct_stack_growth(vma, size, grow); > + if (!error) > + vma->vm_end = address; > + } > } > anon_vma_unlock(vma); > return error; > -- > 1.7.5.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/mm/mmap.c b/mm/mmap.c index 1508d86..027108e 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1735,9 +1735,12 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) size = address - vma->vm_start; grow = (address - vma->vm_end) >> PAGE_SHIFT; - error = acct_stack_growth(vma, size, grow); - if (!error) - vma->vm_end = address; + error = -ENOMEM; + if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { + error = acct_stack_growth(vma, size, grow); + if (!error) + vma->vm_end = address; + } } anon_vma_unlock(vma); return error;