The patch titled Subject: mm/mmap.c: add more sanity checks to get_unmapped_area() has been added to the -mm tree. Its filename is mm-mmapc-add-more-sanity-checks-to-get_unmapped_area.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-mmapc-add-more-sanity-checks-to-get_unmapped_area.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-mmapc-add-more-sanity-checks-to-get_unmapped_area.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Alexander Gordeev <agordeev@xxxxxxxxxxxxx> Subject: mm/mmap.c: add more sanity checks to get_unmapped_area() Generic get_unmapped_area() function does sanity checks of address and length of the area to be mapped. Yet, it lacks checking against mmap_min_addr and mmap_end limits. At the same time the default implementation of functions arch_get_unmapped_area[_topdown]() and some architecture callbacks do mmap_min_addr and mmap_end checks on their own. Put additional checks into the generic code and do not let architecture callbacks to get away with a possible area outside of the allowed limits. That could also relieve arch_get_unmapped_area[_topdown]() callbacks of own address and length sanity checks. Link: http://lkml.kernel.org/r/d14f2cff3c891ef2c4b0337d737c6f04beacb124.1584958099.git.agordeev@xxxxxxxxxxxxx Signed-off-by: Alexander Gordeev <agordeev@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/mmap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/mm/mmap.c~mm-mmapc-add-more-sanity-checks-to-get_unmapped_area +++ a/mm/mmap.c @@ -2208,12 +2208,13 @@ get_unmapped_area(struct file *file, uns unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); + const unsigned long mmap_end = arch_get_mmap_end(addr); unsigned long error = arch_mmap_check(addr, len, flags); if (error) return error; /* Careful about overflows.. */ - if (len > TASK_SIZE) + if (len > mmap_end - mmap_min_addr) return -ENOMEM; get_area = current->mm->get_unmapped_area; @@ -2234,7 +2235,7 @@ get_unmapped_area(struct file *file, uns if (IS_ERR_VALUE(addr)) return addr; - if (addr > TASK_SIZE - len) + if ((addr < mmap_min_addr) || (addr > mmap_end - len)) return -ENOMEM; if (offset_in_page(addr)) return -EINVAL; _ Patches currently in -mm which might be from agordeev@xxxxxxxxxxxxx are mm-mmapc-add-more-sanity-checks-to-get_unmapped_area.patch mm-mmapc-do-not-allow-mappings-outside-of-allowed-limits.patch