Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2176933imm; Mon, 28 May 2018 03:17:22 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoupkl1jd2ZvZxus3gheCYUJM4zxweFrCdI+WUssvrUvGlyrN4xpIvQWW2ZsAyLdIktXGRA X-Received: by 2002:a65:5042:: with SMTP id k2-v6mr9971474pgo.122.1527502642219; Mon, 28 May 2018 03:17:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527502642; cv=none; d=google.com; s=arc-20160816; b=Je2qLwg3sjUlXFRS4Dyu410UOyorIR6O1K+KQokfrJSyD0PHFG5SMKW2Hu2VjuVvJN G4xOFIoUmbsCnEcwp/zVkzG6PAA75usbPvEHbve75SjbRiZeXgctuomno6yWfE5z2C6R 0teTrPtLjPteBYW1rA/JBRbYIcNwR7EUUASStbff8oo5u74Irr8bQQfSSTlloLHPsJtq hIMCtNCR0/89LwYu02xZywVSfq9cRctPFRiA4dRGZY0zpSa3RYOHCeLMEUOk9ItNm7P5 GXBtnGk3bBzXTo8f0Xm2UXiaamJWiEP81N8opvll5iHbST5JAN7ly12Y8udPV8QNrWHf PYHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=bcs14xepVb2Lsa1J1I2V2BC+k7bZ2Xo3d6DQp4VCwaU=; b=uefnTbufQ/3iZHWB7QXf2nkMj5zGcKptPxmaDquLlVcuT6DU+1Zc+iy2n1Yu+EgVHb bihTCHr2XzpPfU6QnYne59djXKCl86VVTOEDxLNP3ywHM7F8cZi1bmJleI6PHMrMlXLp H/lB1XDwGzFkIQGyuOT1D9Lc/eEW1wOKgCM92RE+OASjtcD+VEl+ClFT4ISaVuwUqdWV guIZZ7F0t3MG5M+FYjnNsdvCdVMKtsRLjNQwW+T6YwF2C2acsHtIqQnHhNGGPmsoAPZM oK+eaUtv1RpFdCLcZ3UmQQoA0LfSn7UuiWf9XuCEfBSFGR8I7SsDs8I+JhsDL3T6pcVs imng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xAkVDJcB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e1-v6si30787480pln.445.2018.05.28.03.17.07; Mon, 28 May 2018 03:17:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xAkVDJcB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967952AbeE1KQB (ORCPT + 99 others); Mon, 28 May 2018 06:16:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:36082 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967624AbeE1KP4 (ORCPT ); Mon, 28 May 2018 06:15:56 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D5DD220843; Mon, 28 May 2018 10:15:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502556; bh=PwuShMdPosTntQRFOOwM/HOV4pr51MK4D+HC8MBfyZM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xAkVDJcBLkRclmn75D9M3iZsGI+SNUVvM/PcOLeuuj60/AAmrUs7BtviCd9f1+h2H 9VTeHs2iBiR3kJy1u4b2Jr8Gv7wYuVKv3mUcMHig8Pp68dGd/uEuKXw8bS9VSA9uS5 nTlnj6fz4c1HH0pSW+jQdEJS9WG43CGy0bFjyZLA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Davidlohr Bueso , Andrea Arcangeli , Joe Lawrence , Manfred Spraul , Andrew Morton , Linus Torvalds Subject: [PATCH 4.4 012/268] ipc/shm: fix shmat() nil address after round-down when remapping Date: Mon, 28 May 2018 11:59:46 +0200 Message-Id: <20180528100203.507229367@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100202.045206534@linuxfoundation.org> References: <20180528100202.045206534@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Davidlohr Bueso commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso Reported-by: Andrea Arcangeli Cc: Joe Lawrence Cc: Manfred Spraul Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- ipc/shm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/ipc/shm.c +++ b/ipc/shm.c @@ -1113,9 +1113,17 @@ long do_shmat(int shmid, char __user *sh goto out; else if ((addr = (ulong)shmaddr)) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) + if (shmflg & SHM_RND) { addr &= ~(shmlba - 1); /* round down */ - else + + /* + * Ensure that the round-down is non-nil + * when remapping. This can happen for + * cases when addr < shmlba. + */ + if (!addr && (shmflg & SHM_REMAP)) + goto out; + } else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) #endif