| From: Davidlohr Bueso <dave@stgolabs.net> |
| Date: Fri, 25 May 2018 14:47:30 -0700 |
| Subject: ipc/shm: fix shmat() nil address after round-down when remapping |
| |
| commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. |
| |
| shmat()'s SHM_REMAP option forbids passing a nil address for; this is in |
| fact the very first thing we check for. Andrea reported that for |
| SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, |
| but we need to check again if the address was rounded down to nil. As |
| of this patch, such cases will return -EINVAL. |
| |
| Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 |
| Signed-off-by: Davidlohr Bueso <dbueso@suse.de> |
| Reported-by: Andrea Arcangeli <aarcange@redhat.com> |
| Cc: Joe Lawrence <joe.lawrence@redhat.com> |
| Cc: Manfred Spraul <manfred@colorfullife.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| ipc/shm.c | 12 ++++++++++-- |
| 1 file changed, 10 insertions(+), 2 deletions(-) |
| |
| --- a/ipc/shm.c |
| +++ b/ipc/shm.c |
| @@ -1112,9 +1112,17 @@ long do_shmat(int shmid, char __user *sh |
| goto out; |
| else if ((addr = (ulong)shmaddr)) { |
| if (addr & (shmlba - 1)) { |
| - if (shmflg & SHM_RND) |
| + if (shmflg & SHM_RND) { |
| addr &= ~(shmlba - 1); /* round down */ |
| - else |
| + |
| + /* |
| + * Ensure that the round-down is non-nil |
| + * when remapping. This can happen for |
| + * cases when addr < shmlba. |
| + */ |
| + if (!addr && (shmflg & SHM_REMAP)) |
| + goto out; |
| + } else |
| #ifndef __ARCH_FORCE_SHMLBA |
| if (addr & ~PAGE_MASK) |
| #endif |
