security: protect from stack expantion into low vm addresses

Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>

security: protect from stack expantion into low vm addresses
Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Eric Paris · James Morris
1 parent ab5a91a836
Showing 1 changed file with 6 additions and 2 deletions Side-by-side Diff
mm/mmap.c
@@ -1615,6 +1615,12 @@
 	 */
 	if (unlikely(anon_vma_prepare(vma)))
 		return -ENOMEM;
+
+	address &= PAGE_MASK;
+	error = security_file_mmap(0, 0, 0, 0, address, 1);
+	if (error)
+		return error;
+
 	anon_vma_lock(vma);
  
 	/*
@@ -1622,8 +1628,6 @@
 	 * is required to hold the mmap_sem in read mode.  We need the
 	 * anon_vma lock to serialize against concurrent expand_stacks.
 	 */
-	address &= PAGE_MASK;
-	error = 0;
  
 	/* Somebody else might have raced and expanded it already */
 	if (address < vma->vm_start) {
...	...	@@ -1615,6 +1615,12 @@
1615	1615	*/
1616	1616	if (unlikely(anon_vma_prepare(vma)))
1617	1617	return -ENOMEM;
	1618	+
	1619	+ address &= PAGE_MASK;
	1620	+ error = security_file_mmap(0, 0, 0, 0, address, 1);
	1621	+ if (error)
	1622	+ return error;
	1623	+
1618	1624	anon_vma_lock(vma);
1619	1625
1620	1626	/*
...	...	@@ -1622,8 +1628,6 @@
1622	1628	* is required to hold the mmap_sem in read mode. We need the
1623	1629	* anon_vma lock to serialize against concurrent expand_stacks.
1624	1630	*/
1625		- address &= PAGE_MASK;
1626		- error = 0;
1627	1631
1628	1632	/* Somebody else might have raced and expanded it already */
1629	1633	if (address < vma->vm_start) {