[thirdparty/kernel/stable-queue.git] / releases / 4.19.34 / powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch

From 99ee7f5d19e043a51116b66b2ab12345d2616aa3 Mon Sep 17 00:00:00 2001
From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
Date: Tue, 26 Feb 2019 10:09:34 +0530
Subject: powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area
 callback

[ Upstream commit 5330367fa300742a97e20e953b1f77f48392faae ]

After we ALIGN up the address we need to make sure we didn't overflow
and resulted in zero address. In that case, we need to make sure that
the returned address is greater than mmap_min_addr.

This fixes selftest va_128TBswitch --run-hugetlb reporting failures when
run as non root user for

mmap(-1, MAP_HUGETLB)

The bug is that a non-root user requesting address -1 will be given address 0
which will then fail, whereas they should have been given something else that
would have succeeded.

We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address
with this change. So we think this is not a security issue, because it only affects
whether we choose an address below mmap_min_addr, not whether we
actually allow that address to be mapped. ie. there are existing capability
checks to prevent a user mapping below mmap_min_addr and those will still be
honoured even without this fix.

Fixes: 484837601d4d ("powerpc/mm: Add radix support for hugetlb")
Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/mm/hugetlbpage-radix.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c
index 2486bee0f93e..97c7a39ebc00 100644
--- a/arch/powerpc/mm/hugetlbpage-radix.c
+++ b/arch/powerpc/mm/hugetlbpage-radix.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/mm.h>
 #include <linux/hugetlb.h>
+#include <linux/security.h>
 #include <asm/pgtable.h>
 #include <asm/pgalloc.h>
 #include <asm/cacheflush.h>
@@ -73,7 +74,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
 	if (addr) {
 		addr = ALIGN(addr, huge_page_size(h));
 		vma = find_vma(mm, addr);
-		if (high_limit - len >= addr &&
+		if (high_limit - len >= addr && addr >= mmap_min_addr &&
 		    (!vma || addr + len <= vm_start_gap(vma)))
 			return addr;
 	}
@@ -83,7 +84,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
 	 */
 	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
 	info.length = len;
-	info.low_limit = PAGE_SIZE;
+	info.low_limit = max(PAGE_SIZE, mmap_min_addr);
 	info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW);
 	info.align_mask = PAGE_MASK & ~huge_page_mask(h);
 	info.align_offset = 0;
-- 
2.19.1
Commit	Line	Data
ba172962 SL	1	From 99ee7f5d19e043a51116b66b2ab12345d2616aa3 Mon Sep 17 00:00:00 2001
	2	From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
	3	Date: Tue, 26 Feb 2019 10:09:34 +0530
	4	Subject: powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area
	5	callback
	6
	7	[ Upstream commit 5330367fa300742a97e20e953b1f77f48392faae ]
	8
	9	After we ALIGN up the address we need to make sure we didn't overflow
	10	and resulted in zero address. In that case, we need to make sure that
	11	the returned address is greater than mmap_min_addr.
	12
	13	This fixes selftest va_128TBswitch --run-hugetlb reporting failures when
	14	run as non root user for
	15
	16	mmap(-1, MAP_HUGETLB)
	17
	18	The bug is that a non-root user requesting address -1 will be given address 0
	19	which will then fail, whereas they should have been given something else that
	20	would have succeeded.
	21
	22	We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address
	23	with this change. So we think this is not a security issue, because it only affects
	24	whether we choose an address below mmap_min_addr, not whether we
	25	actually allow that address to be mapped. ie. there are existing capability
	26	checks to prevent a user mapping below mmap_min_addr and those will still be
	27	honoured even without this fix.
	28
	29	Fixes: 484837601d4d ("powerpc/mm: Add radix support for hugetlb")
	30	Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
	31	Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
	32	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	33	Signed-off-by: Sasha Levin <sashal@kernel.org>
	34	---
	35	arch/powerpc/mm/hugetlbpage-radix.c \| 5 +++--
	36	1 file changed, 3 insertions(+), 2 deletions(-)
	37
	38	diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c
	39	index 2486bee0f93e..97c7a39ebc00 100644
	40	--- a/arch/powerpc/mm/hugetlbpage-radix.c
	41	+++ b/arch/powerpc/mm/hugetlbpage-radix.c
	42	@@ -1,6 +1,7 @@
	43	// SPDX-License-Identifier: GPL-2.0
	44	#include <linux/mm.h>
	45	#include <linux/hugetlb.h>
	46	+#include <linux/security.h>
	47	#include <asm/pgtable.h>
	48	#include <asm/pgalloc.h>
	49	#include <asm/cacheflush.h>
	50	@@ -73,7 +74,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
	51	if (addr) {
	52	addr = ALIGN(addr, huge_page_size(h));
	53	vma = find_vma(mm, addr);
	54	- if (high_limit - len >= addr &&
	55	+ if (high_limit - len >= addr && addr >= mmap_min_addr &&
	56	(!vma \|\| addr + len <= vm_start_gap(vma)))
	57	return addr;
	58	}
	59	@@ -83,7 +84,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
	60	*/
	61	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
	62	info.length = len;
	63	- info.low_limit = PAGE_SIZE;
	64	+ info.low_limit = max(PAGE_SIZE, mmap_min_addr);
65	info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW);
66	info.align_mask = PAGE_MASK & ~huge_page_mask(h);
67	info.align_offset = 0;
68	--
69	2.19.1
70