Received: by 10.192.165.148 with SMTP id m20csp22496imm;
        Thu, 3 May 2018 14:04:47 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoGX0MDN1/Kt8jxXw++MJCAYweQjRNtE4Z0/uEQAPamhJ9Ra1Swz7mGvw99+LDJLt5ewR5Z
X-Received: by 2002:a63:6584:: with SMTP id z126-v6mr12697454pgb.168.1525381487365;
        Thu, 03 May 2018 14:04:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525381487; cv=none;
        d=google.com; s=arc-20160816;
        b=FNnmwi441rejRTDJNJmRtt3OF4Z4XMOhofvysM3I4zJPO+oHe5SSRTwp4xeFsP/sgv
         xqPVOjctTOkB+EiIkP5E4g7Thl6JmCCH3htpJeKwryiRrTg9WRjTIGR/DabyyzQeNixm
         Ko/affqehA5SGK3uw+sUzkaKfhDO40HijX8NRb/+Kq3P8/hpmcmAq2HoxOzD1N72SM3/
         UROIKC2nXxsGrrfqI7XMs4A5d4ulWWt/8PyGKYKx4T+qyIGa6vTJO7SevxVFzFkcsRNg
         yR3+6WqFcrwyS2qeBjSN+yOCtkQftS9I0dUfENKfyc1Lgey8yzEKPVhYLeDNcWWR8yg4
         wozQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:arc-authentication-results;
        bh=T9/KLpfNlXTBJuGBs6mlnndbmTLZ/eYl0RbCd4XdAQE=;
        b=XEUhJFdXECoo25SiimnWFF8Qq7HCm/4tUr+sYqdRdTIA6hETfSgCY3De3WIwcV8mZi
         1sINILFVjKASeTxKYjr9msXJbvqtHyB1BwgNk6NiBj6t7M979SpkeekEbweWirRakYaM
         Ymp8OEl96iemfPQ3W6BhR/5gqYQeYplNdXQ/teETT27hROs9JgqoEWdwXoRwdfQF8ncd
         RK1d+uhir0031sV4qz+wlm+GuDHwEG9I/QxN1Bz4qNZZ3q8mGUBLo9TA6W/EYFcW7FCy
         kau3hGB4VEOHwjKNIPTCnbnXX9FP3xw5a7pOlqbhA06B067TYCXlhrirWZUxmE2Q/yEY
         4mQA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v69si2828721pfd.341.2018.05.03.14.04.32;
        Thu, 03 May 2018 14:04:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751339AbeECVED (ORCPT <rfc822;ereslibre@gmail.com> + 99 others);
        Thu, 3 May 2018 17:04:03 -0400
Received: from mx2.suse.de ([195.135.220.15]:48744 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751132AbeECVEC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 17:04:02 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id C5342AF2C;
        Thu,  3 May 2018 21:04:00 +0000 (UTC)
Date:   Thu, 3 May 2018 13:49:34 -0700
From:   Davidlohr Bueso <dave@stgolabs.net>
To:     akpm@linux-foundation.org, aarcange@redhat.com
Cc:     joe.lawrence@redhat.com, gareth.evans@contextis.co.uk,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        stable@kernel.org, dave@stgolabs.net
Subject: [PATCH 2/2] ipc/shm: fix shmat() nil address after round-down when
 remapping
Message-ID: <20180503204934.kk63josdu6u53fbd@linux-n805>
Mail-Followup-To: akpm@linux-foundation.org, aarcange@redhat.com,
        joe.lawrence@redhat.com, gareth.evans@contextis.co.uk,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org, stable@kernel.org
References: <20180503203243.15045-1-dave@stgolabs.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20180503203243.15045-1-dave@stgolabs.net>
User-Agent: NeoMutt/20170421 (1.8.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

shmat()'s SHM_REMAP option forbids passing a nil address for; this
is in fact the very first thing we check for. Andrea reported that
for SHM_RND|SHM_REMAP cases we can end up bypassing the initial
addr check, but we need to check again if the address was rounded
down to nil. As of this patch, such cases will return -EINVAL.

Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 ipc/shm.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index b81d53c8f459..29978ee76c2e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1371,9 +1371,17 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
 
 	if (addr) {
 		if (addr & (shmlba - 1)) {
-			if (shmflg & SHM_RND)
+			if (shmflg & SHM_RND) {
 				addr &= ~(shmlba - 1);  /* round down */
-			else
+
+				/*
+				 * Ensure that the round-down is non-nil
+				 * when remapping. This can happen for
+				 * cases when addr < shmlba.
+				 */
+				if (!addr && (shmflg & SHM_REMAP))
+					goto out;
+			} else
 #ifndef __ARCH_FORCE_SHMLBA
 				if (addr & ~PAGE_MASK)
 #endif
-- 
2.13.6