Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2366890imm; Mon, 28 May 2018 06:50:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpBLvLNOPUR45OxIUZnKz5W/oLxnK1EqP0h58MDsOIaCQ+89bu6FCVBv9645pQ+LYotZLiu X-Received: by 2002:a17:902:6686:: with SMTP id e6-v6mr13658284plk.35.1527515439418; Mon, 28 May 2018 06:50:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527515439; cv=none; d=google.com; s=arc-20160816; b=q7YhdAaY5vC1sJtNZX8B7FsoEm4J8CUAkzZsxdIk0W1zNJpRp/XZ/g3+xWK7vfwIMW U3+dpMTuNhlDQ2Gb37UYJ7BmV7k28WbsCDmwolSWltnsdZi76UKv2BQhULkpvEjwchBP AEN0rU8IEtyYnKBhGEKauS2ikx7SCQb8Kq04dEie6MpV03re7P5iwQQ5Vl5xDwGBJVsx xr9nxxKoMh62ibaIwuMV/c8CSnu38NTtE7UxP2g/3d2DVjmqVDbaFf375unv04kFXF2H LvXf2IgYfWCLugVu1npwrXdGqSKDzV91n/PGt9rt9aNXCZxhFuj1C8rPiN79JdqzUBoB RMew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=nDgndkgnzQWKZIYknFZtjFz0cdggBd31s/KGSgAVOnk=; b=oaiJMGi5oVWCGERAyYtT2rtTNrdXy38eY707SRT2NlxSNxQKcuIwk+9ePzTUiNlqIt ciIua0xZ0bvdWRnRIZOcCgTOZUr2mebgsEojadDh5tbAzRWGpmKwxm9qAA/2MTGcRbNC MKwA0HsSS/cji/cbjNj6Pb9Fv9uwr2ADg6WDhJ9o4mUaaKOk2/E2DVyE0V5Tv2cP9+4E 6pHg1uobc20ze57QBooSpQs3fZWe632zOC1OO9YpMV+mmyD8mVjMTArJy81VGTbxQ0aA ZjzPg+E4eOHb3FsiYDOVc4O5LFoTjIEMJudIk1dTtRIpaHgaLzl1J1LOEAsIpI8Tj/B7 lo5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rXPYYd9Z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h68-v6si8396663pgc.429.2018.05.28.06.50.24; Mon, 28 May 2018 06:50:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rXPYYd9Z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755233AbeE1Nta (ORCPT + 99 others); Mon, 28 May 2018 09:49:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:33536 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S937414AbeE1KmK (ORCPT ); Mon, 28 May 2018 06:42:10 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4B0FE2086D; Mon, 28 May 2018 10:42:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527504129; bh=jNpKZLR1WHlY8Qg9DUq3F5/S/+UEAPa39xXZZoxyAUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rXPYYd9ZSwm0ihvDOnMYlzg1mrEkb35fxHH1rd24jEFkdzeJpbLK8K5Pnd4IA+5qg QW4jKhzbWmqGc0opYCQ+IfnHSTui2yEcLAkEMKRkPC4b62ru6CzkSZCC37Hq3p0IKz JIpvFXfpqyUsBW3W+6EXQY42V9bKIjYEOfTDf1vg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Davidlohr Bueso , Andrea Arcangeli , Joe Lawrence , Manfred Spraul , Andrew Morton , Linus Torvalds Subject: [PATCH 4.14 024/496] ipc/shm: fix shmat() nil address after round-down when remapping Date: Mon, 28 May 2018 11:56:49 +0200 Message-Id: <20180528100320.611737952@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Davidlohr Bueso commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso Reported-by: Andrea Arcangeli Cc: Joe Lawrence Cc: Manfred Spraul Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- ipc/shm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/ipc/shm.c +++ b/ipc/shm.c @@ -1309,9 +1309,17 @@ long do_shmat(int shmid, char __user *sh if (addr) { if (addr & (shmlba - 1)) { - if (shmflg & SHM_RND) + if (shmflg & SHM_RND) { addr &= ~(shmlba - 1); /* round down */ - else + + /* + * Ensure that the round-down is non-nil + * when remapping. This can happen for + * cases when addr < shmlba. + */ + if (!addr && (shmflg & SHM_REMAP)) + goto out; + } else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK) #endif