[thirdparty/kernel/stable-queue.git] / pending-4.9 / kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch

From 3f97ddf2a33230ac7f21f785a229945b90dfac11 Mon Sep 17 00:00:00 2001
From: Cyrill Gorcunov <gorcunov@gmail.com>
Date: Mon, 13 May 2019 17:15:40 -0700
Subject: kernel/sys.c: prctl: fix false positive in validate_prctl_map()

[ Upstream commit a9e73998f9d705c94a8dca9687633adc0f24a19a ]

While validating new map we require the @start_data to be strictly less
than @end_data, which is fine for regular applications (this is why this
nit didn't trigger for that long).  These members are set from executable
loaders such as elf handers, still it is pretty valid to have a loadable
data section with zero size in file, in such case the start_data is equal
to end_data once kernel loader finishes.

As a result when we're trying to restore such programs the procedure fails
and the kernel returns -EINVAL.  From the image dump of a program:

 | "mm_start_code": "0x400000",
 | "mm_end_code": "0x8f5fb4",
 | "mm_start_data": "0xf1bfb0",
 | "mm_end_data": "0xf1bfb0",

Thus we need to change validate_prctl_map from strictly less to less or
equal operator use.

Link: http://lkml.kernel.org/r/20190408143554.GY1421@uranus.lan
Fixes: f606b77f1a9e3 ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation")
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Andrey Vagin <avagin@gmail.com>
Cc: Dmitry Safonov <0x7f454c46@gmail.com>
Cc: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sys.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index 6c4e9b533258..157277cbf83a 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1762,7 +1762,7 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)
 	((unsigned long)prctl_map->__m1 __op				\
 	 (unsigned long)prctl_map->__m2) ? 0 : -EINVAL
 	error  = __prctl_check_order(start_code, <, end_code);
-	error |= __prctl_check_order(start_data, <, end_data);
+	error |= __prctl_check_order(start_data,<=, end_data);
 	error |= __prctl_check_order(start_brk, <=, brk);
 	error |= __prctl_check_order(arg_start, <=, arg_end);
 	error |= __prctl_check_order(env_start, <=, env_end);
-- 
2.20.1
Commit	Line	Data
bb104d9e SL	1	From 3f97ddf2a33230ac7f21f785a229945b90dfac11 Mon Sep 17 00:00:00 2001
	2	From: Cyrill Gorcunov <gorcunov@gmail.com>
	3	Date: Mon, 13 May 2019 17:15:40 -0700
	4	Subject: kernel/sys.c: prctl: fix false positive in validate_prctl_map()
	5
	6	[ Upstream commit a9e73998f9d705c94a8dca9687633adc0f24a19a ]
	7
	8	While validating new map we require the @start_data to be strictly less
	9	than @end_data, which is fine for regular applications (this is why this
	10	nit didn't trigger for that long). These members are set from executable
	11	loaders such as elf handers, still it is pretty valid to have a loadable
	12	data section with zero size in file, in such case the start_data is equal
	13	to end_data once kernel loader finishes.
	14
	15	As a result when we're trying to restore such programs the procedure fails
	16	and the kernel returns -EINVAL. From the image dump of a program:
	17
	18	\| "mm_start_code": "0x400000",
	19	\| "mm_end_code": "0x8f5fb4",
	20	\| "mm_start_data": "0xf1bfb0",
	21	\| "mm_end_data": "0xf1bfb0",
	22
	23	Thus we need to change validate_prctl_map from strictly less to less or
	24	equal operator use.
	25
	26	Link: http://lkml.kernel.org/r/20190408143554.GY1421@uranus.lan
	27	Fixes: f606b77f1a9e3 ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation")
	28	Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
	29	Cc: Andrey Vagin <avagin@gmail.com>
	30	Cc: Dmitry Safonov <0x7f454c46@gmail.com>
	31	Cc: Pavel Emelyanov <xemul@virtuozzo.com>
	32	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	33	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	34	Signed-off-by: Sasha Levin <sashal@kernel.org>
	35	---
	36	kernel/sys.c \| 2 +-
	37	1 file changed, 1 insertion(+), 1 deletion(-)
	38
	39	diff --git a/kernel/sys.c b/kernel/sys.c
	40	index 6c4e9b533258..157277cbf83a 100644
	41	--- a/kernel/sys.c
	42	+++ b/kernel/sys.c
	43	@@ -1762,7 +1762,7 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)
	44	((unsigned long)prctl_map->__m1 __op \
	45	(unsigned long)prctl_map->__m2) ? 0 : -EINVAL
	46	error = __prctl_check_order(start_code, <, end_code);
	47	- error \|= __prctl_check_order(start_data, <, end_data);
	48	+ error \|= __prctl_check_order(start_data,<=, end_data);
	49	error \|= __prctl_check_order(start_brk, <=, brk);
	50	error \|= __prctl_check_order(arg_start, <=, arg_end);
	51	error \|= __prctl_check_order(env_start, <=, env_end);
	52	--
	53	2.20.1
	54