]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
mm: enforce min addr even if capable() in expand_downwards()
authorJann Horn <jannh@google.com>
Wed, 27 Feb 2019 20:29:52 +0000 (21:29 +0100)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 2 May 2019 20:42:01 +0000 (21:42 +0100)
commitc90030281dc8b6a25ac8850e98e15877f80b8d66
tree53cc3d855108d1647e30659883729e8c221e78aa
parent120d66394f05ec50a018168850a8db6518ea2d9b
mm: enforce min addr even if capable() in expand_downwards()

commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.

security_mmap_addr() does a capability check with current_cred(), but
we can reach this code from contexts like a VFS write handler where
current_cred() must not be used.

This can be abused on systems without SMAP to make NULL pointer
dereferences exploitable again.

Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mm/mmap.c