mm: enforce min addr even if capable() in expand_downwards() [Linux 5.0]

This Linux kernel change "mm: enforce min addr even if capable() in expand_downwards()" is included in the Linux 5.0 release. This change is authored by Jann Horn <jannh [at] google.com> on Wed Feb 27 21:29:52 2019 +0100. The commit for this change in Linux stable tree is 0a1d529 (patch).

mm: enforce min addr even if capable() in expand_downwards()

security_mmap_addr() does a capability check with current_cred(), but
we can reach this code from contexts like a VFS write handler where
current_cred() must not be used.

This can be abused on systems without SMAP to make NULL pointer
dereferences exploitable again.

Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
Cc: [email protected]
Signed-off-by: Jann Horn <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

There are 7 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 mm/mmap.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index f901065..fc1809b 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2426,12 +2426,11 @@ int expand_downwards(struct vm_area_struct *vma,
 {
    struct mm_struct *mm = vma->vm_mm;
    struct vm_area_struct *prev;
-   int error;
+   int error = 0;

    address &= PAGE_MASK;
-   error = security_mmap_addr(address);
-   if (error)
-       return error;
+   if (address < mmap_min_addr)
+       return -EPERM;

    /* Enforce stack_guard_gap */
    prev = vma->vm_prev;

Leave a Reply

Your email address will not be published. Required fields are marked *