Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2270189imm; Mon, 28 May 2018 05:08:13 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo8bvObMfAPxcdwJIVjCFKx4ZkpsWYULcq9TRYs3pVMV4otL3mTyqy60J40CNsnUqtcl+w2 X-Received: by 2002:a63:8b44:: with SMTP id j65-v6mr10754218pge.203.1527509293244; Mon, 28 May 2018 05:08:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527509293; cv=none; d=google.com; s=arc-20160816; b=oXHDCQkp6OWti4lriDEWD8PIQFtEy/ILXjJ2WnTFd8efTl3d6vCsF8mdpXVZqfA87d wQLknPb6L3fNP5/0Hu0gJCSO1oz3aXthqXTaOHsO87ulMnWPjpQvnxk+AD7YovpqIU4d zI/QphWvb3NrVYXMDzEU3hRdl5Oia435la4VVeDQAbkimAQGASygtHKfeeHGPLsdAXXH eYlAL2L+Ep5K/PkXDOJFto4lNUSqcsD6nffPYmkH7z4UVplgakTbYYneGnhtzTFa3jk6 1N3nYbVAO9CdRK78rmoS4Z9bsssRzx6ZZCAXrFD1RxAET7Numb5ptNb8Iohxjk7egq9T +1Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=x9ANLvBpZB1tbxys8lnrYpJSkLXTUdt1a/k6H6kWpyM=; b=Rn48sZK8IuKVJol3XKMIsGDYT+Uo23fkNw5hryV1wJwzJT3mIUPStTyGIZIEk3vudP atcCa+X3PeLtQhptyYVcht9gEJ+AYa477KPKA8QgKBGcR1Gw6eunppatYWmORUQF1L99 Rg1Ma8ASUIwT9UmiMsCfEhGWVUrHT4+VQIfiYNwUu1MbwzA6k6OiEu4yIgY6xNwhjYUW KbXjF7zDioWSv1jDaRuXN7VrlQFT06zm0ZG8HTSNql2yAwtEFdY9D+niQN0ty9AEhaZD ZS6lcxWYZFZZWLhAFadqtjvD9neRmqeOILW/JNil3mPmu5nge3s0bsbAlrLk0rP76TuJ fSAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rFX43U1/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d29-v6si30593156pfb.232.2018.05.28.05.07.56; Mon, 28 May 2018 05:08:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rFX43U1/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938605AbeE1MHD (ORCPT + 99 others); Mon, 28 May 2018 08:07:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:52416 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1422743AbeE1LFX (ORCPT ); Mon, 28 May 2018 07:05:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 410792088E; Mon, 28 May 2018 11:05:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527505522; bh=liyiSSeQpelORwhrcbB50BMzWRpGo7pL0QZbUkAYXlk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rFX43U1/QFaBGgCj5osbUUwVWiqiFQUwbTQe9AKaBOSan8hNrFQ37k0jmyFDZh6Jf /B3/jv+QoOQLsMrpjyow+hGBeg97p/5Mpivrd67x17IwuxWC1vFgWRgpGxVITYviXJ EhG52+ryu+lrzrAUFzwJX7rHeI4DkUD7fHVe7oXw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Davidlohr Bueso , Andrea Arcangeli , Joe Lawrence , Manfred Spraul , Andrew Morton , Linus Torvalds Subject: [PATCH 4.16 033/272] ipc/shm: fix shmat() nil address after round-down when remapping Date: Mon, 28 May 2018 12:01:06 +0200 Message-Id: <20180528100243.523008706@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100240.256525891@linuxfoundation.org> References: <20180528100240.256525891@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Davidlohr Bueso commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso Reported-by: Andrea Arcangeli Cc: Joe Lawrence Cc: Manfred Spraul Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- ipc/shm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/ipc/shm.c +++ b/ipc/shm.c @@ -1320,9 +1320,17 @@ long do_shmat(int shmid, char __user *sh if (addr) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) + if (shmflg & SHM_RND) { addr &= ~(shmlba - 1); /* round down */ - else + + /* + * Ensure that the round-down is non-nil + * when remapping. This can happen for + * cases when addr < shmlba. + */ + if (!addr && (shmflg & SHM_REMAP)) + goto out; + } else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) #endif