Please sign in to comment.
ipc/shm: Fix shmat mmap nil-page protection
commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream. The issue is described here, with a nice testcase: https://bugzilla.kernel.org/show_bug.cgi?id=192931 The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the address rounded down to 0. For the regular mmap case, the protection mentioned above is that the kernel gets to generate the address -- arch_get_unmapped_area() will always check for MAP_FIXED and return that address. So by the time we do security_mmap_addr(0) things get funky for shmat(). The testcase itself shows that while a regular user crashes, root will not have a problem attaching a nil-page. There are two possible fixes to this. The first, and which this patch does, is to simply allow root to crash as well -- this is also regular mmap behavior, ie when hacking up the testcase and adding mmap(... |MAP_FIXED). While this approach is the safer option, the second alternative is to ignore SHM_RND if the rounded address is 0, thus only having MAP_SHARED flags. This makes the behavior of shmat() identical to the mmap() case. The downside of this is obviously user visible, but does make sense in that it maintains semantics after the round-down wrt 0 address and mmap. Passes shm related ltp tests. Change-Id: Ief10076165c4f03de686229185d80510af2ba79e Link: http://firstname.lastname@example.org Signed-off-by: Davidlohr Bueso <email@example.com> Reported-by: Gareth Evans <firstname.lastname@example.org> Cc: Manfred Spraul <email@example.com> Cc: Michael Kerrisk <firstname.lastname@example.org> Signed-off-by: Andrew Morton <email@example.com> Signed-off-by: Linus Torvalds <firstname.lastname@example.org> [bwh: Backported to 3.2: use SHMLBA constant instead of shmlba parameter] Signed-off-by: Ben Hutchings <email@example.com>
- Loading branch information...