From: Hugh Dickins <hugh@veritas.com>
Date: Mon, 17 Apr 2006 21:46:32 +0000 (+0100)
Subject: [PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)
X-Git-Tag: v2.6.16.7~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00ec474c9bed7883f1b3e5f46e3bf09f7de69975;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)

madvise_remove needs to respect file and mmap protections.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/mm/madvise.c b/mm/madvise.c
index af3d573b01412..4e196155a0c36 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -168,6 +168,9 @@ static long madvise_remove(struct vm_area_struct *vma,
 			return -EINVAL;
 	}
 
+	if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE))
+		return -EACCES;
+
 	mapping = vma->vm_file->f_mapping;
 
 	offset = (loff_t)(start - vma->vm_start)