The new protection to keep users from writing to the first couple of
pages of virtual memory also is stopping mmap operations which are only
giving a hint address greater than 0 but less than mmap_min_addr. This
patch should take the address given to mmap and move it up to
mmap_min_addr thus eliminating the security denial.
--
Testing on this patch resulted in expected results. With my
mmap_min_addr set to 40960
About to MAP_FIXED addr:40960
Works.
About to MAP_FIXED addr:32768
mmap: Permission denied
So MAP_FXIED operations were getting denied.
About to mmap with hint addr:40960
Works.
About to mmap with hint addr:32768
Requested addr:32768 but got addr:40960
So given a low hint address we just got 40960
About to mmap with hint addr:4096
Requested addr:4096 but got addr:40960
About to mmap with hint addr:8192
Requested addr:8192 but got addr:3086798848
Here I didn't munmap between each mmap call. In this case 4096 hint got
bumped to 40960 (mmap_min_addr) and worked fine. A new hint, 8192 also
got bumped to 40960 but the kernel found it couldn't use that and
instead found a whole new open memory area. Appears to be working as
expected.
mm/mmap.c | 7 +++++++
mm/nommu.c | 7 +++++++
2 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index bce4995..ecd1dcc 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -916,6 +916,13 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
if (!len)
return -EINVAL;
+ /*
+ * If a hint addr is less than mmap_min_addr change addr to be as
+ * low as possible but still greater than mmap_min_addr
+ */
+ if (!(flags & MAP_FIXED) && (addr != NULL) && (addr < mmap_min_addr))
+ addr = (mmap_min_addr + ~PAGE_MASK) & PAGE_MASK;
+
error = arch_mmap_check(addr, len, flags);
if (error)
return error;
diff --git a/mm/nommu.c b/mm/nommu.c
index 989e2e9..6c13728 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -805,6 +805,13 @@ unsigned long do_mmap_pgoff(struct file *file,
void *result;
int ret;
+ /*
+ * If a hint addr is less than mmap_min_addr change addr to be as
+ * low as possible, but still greater than mmap_min_addr
+ */
+ if (!(flags & MAP_FIXED) && (addr != NULL) && (addr < mmap_min_addr))
+ addr = (mmap_min_addr + ~PAGE_MASK) & PAGE_MASK;
+
/* decide whether we should attempt the mapping, and if so what sort of
* mapping */
ret = validate_mmap_request(file, addr, len, prot, flags, pgoff,
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]