The patch titled
Subject: kernel/sys.c: prctl: fix false positive in validate_prctl_map()
has been added to the -mm tree. Its filename is
prctl-fix-false-positive-in-validate_prctl_map.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/prctl-fix-false-positive-in-validate_prctl_map.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/prctl-fix-false-positive-in-validate_prctl_map.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Cyrill Gorcunov <gorcunov@xxxxxxxxx>
Subject: kernel/sys.c: prctl: fix false positive in validate_prctl_map()
While validating new map we require the @start_data to be strictly less
than @end_data, which is fine for regular applications (this is why this
nit didn't trigger for that long). These members are set from executable
loaders such as elf handers, still it is pretty valid to have a loadable
data section with zero size in file, in such case the start_data is equal
to end_data once kernel loader finishes.
As a result when we're trying to restore such programs the procedure fails
and the kernel returns -EINVAL. From the image dump of a program:
| "mm_start_code": "0x400000",
| "mm_end_code": "0x8f5fb4",
| "mm_start_data": "0xf1bfb0",
| "mm_end_data": "0xf1bfb0",
Thus we need to change validate_prctl_map from strictly less to less or
equal operator use.
Link: http://lkml.kernel.org/r/20190408143554.GY1421@xxxxxxxxxx
Fixes: f606b77f1a9e3 ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation")
Signed-off-by: Cyrill Gorcunov <gorcunov@xxxxxxxxx>
Cc: Andrey Vagin <avagin@xxxxxxxxx>
Cc: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
Cc: Pavel Emelyanov <xemul@xxxxxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/sys.c~prctl-fix-false-positive-in-validate_prctl_map
+++ a/kernel/sys.c
@@ -1924,7 +1924,7 @@ static int validate_prctl_map(struct prc
((unsigned long)prctl_map->__m1 __op \
(unsigned long)prctl_map->__m2) ? 0 : -EINVAL
error = __prctl_check_order(start_code, <, end_code);
- error |= __prctl_check_order(start_data, <, end_data);
+ error |= __prctl_check_order(start_data,<=, end_data);
error |= __prctl_check_order(start_brk, <=, brk);
error |= __prctl_check_order(arg_start, <=, arg_end);
error |= __prctl_check_order(env_start, <=, env_end);
_
Patches currently in -mm which might be from gorcunov@xxxxxxxxx are
prctl-fix-false-positive-in-validate_prctl_map.patch
