lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1255516134-4838-1-git-send-email-graff.yang@gmail.com>
Date:	Wed, 14 Oct 2009 18:28:54 +0800
From:	<graff.yang@...il.com>
To:	<dhowells@...hat.com>, <linux-kernel@...r.kernel.org>,
	<gyang@...ckfin.uclinux.org>
CC:	<akpm@...ux-foundation.org>,
	<uclinux-dist-devel@...ckfin.uclinux.org>,
	Graff Yang <graf.yang@...log.com>
Subject: [PATCH] mm/nommu.c: Fix improperly call of security API in mmap

From: Graff Yang <graf.yang@...log.com>

The original code calling security_file_mmap() use user's hint address
as it's 5th argument(addr). This is improper, as the hint address may be
NULL.
In this case, the security_file_mmap() may incorrectly return -EPERM.

This patch moved the calling of security_file_mmap() out of
validate_mmap_request() to do_mmap_pgoff(), and call this
security API with the address that attempting to mmap.

Signed-off-by: Graff Yang <graf.yang@...log.com>
---
 mm/nommu.c |   18 ++++++++++++------
 1 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/mm/nommu.c b/mm/nommu.c
index 3a5e989..fc986d4 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -862,7 +862,6 @@ static int validate_mmap_request(struct file *file,
 				 unsigned long *_capabilities)
 {
 	unsigned long capabilities, rlen;
-	unsigned long reqprot = prot;
 	int ret;
 
 	/* do the simple checks first */
@@ -1013,11 +1012,6 @@ static int validate_mmap_request(struct file *file,
 			prot |= PROT_EXEC;
 	}
 
-	/* allow the security API to have its say */
-	ret = security_file_mmap(file, reqprot, prot, flags, addr, 0);
-	if (ret < 0)
-		return ret;
-
 	/* looks okay */
 	*_capabilities = capabilities;
 	return 0;
@@ -1231,6 +1225,7 @@ unsigned long do_mmap_pgoff(struct file *file,
 	struct vm_area_struct *vma;
 	struct vm_region *region;
 	struct rb_node *rb;
+	unsigned long reqprot = prot;
 	unsigned long capabilities, vm_flags, result;
 	int ret;
 
@@ -1327,6 +1322,12 @@ unsigned long do_mmap_pgoff(struct file *file,
 				continue;
 			}
 
+			/* allow the security API to have its say */
+			ret = security_file_mmap(file, reqprot, prot, flags,
+							pregion->vm_start, 0);
+			if (ret < 0)
+				goto error_just_free;
+
 			/* we've found a region we can share */
 			atomic_inc(&pregion->vm_usage);
 			vma->vm_region = pregion;
@@ -1394,6 +1395,11 @@ unsigned long do_mmap_pgoff(struct file *file,
 	if (ret < 0)
 		goto error_put_region;
 
+	ret = security_file_mmap(file, reqprot, prot, flags,
+					vma->vm_start, 0);
+	if (ret < 0)
+		goto error_put_region;
+
 	/* okay... we have a mapping; now we have to register it */
 	result = vma->vm_start;
 
-- 
1.6.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ