From 64668ed7a1f5b90e68e9b99eea70fa1300bc6625 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 7 Apr 2020 16:54:40 +0200 Subject: [PATCH] 4.4-stable patches added patches: mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch --- ...-least-one-nodeid-for-mpol_preferred.patch | 57 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 58 insertions(+) create mode 100644 queue-4.4/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch diff --git a/queue-4.4/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch b/queue-4.4/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch new file mode 100644 index 00000000000..e3184858f78 --- /dev/null +++ b/queue-4.4/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch @@ -0,0 +1,57 @@ +From aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 1 Apr 2020 21:10:58 -0700 +Subject: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED + +From: Randy Dunlap + +commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream. + +Using an empty (malformed) nodelist that is not caught during mount option +parsing leads to a stack-out-of-bounds access. + +The option string that was used was: "mpol=prefer:,". However, +MPOL_PREFERRED requires a single node number, which is not being provided +here. + +Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's +nodeid. + +Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") +Reported-by: Entropy Moe <3ntr0py1337@gmail.com> +Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com +Signed-off-by: Randy Dunlap +Signed-off-by: Andrew Morton +Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com +Cc: Lee Schermerhorn +Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org +Signed-off-by: Linus Torvalds +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mempolicy.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2725,7 +2725,9 @@ int mpol_parse_str(char *str, struct mem + switch (mode) { + case MPOL_PREFERRED: + /* +- * Insist on a nodelist of one node only ++ * Insist on a nodelist of one node only, although later ++ * we use first_node(nodes) to grab a single node, so here ++ * nodelist (or nodes) cannot be empty. + */ + if (nodelist) { + char *rest = nodelist; +@@ -2733,6 +2735,8 @@ int mpol_parse_str(char *str, struct mem + rest++; + if (*rest) + goto out; ++ if (nodes_empty(nodes)) ++ goto out; + } + break; + case MPOL_INTERLEAVE: diff --git a/queue-4.4/series b/queue-4.4/series index 32cdcdcbaa4..1fa9ce99a9d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -13,3 +13,4 @@ l2tp-fix-race-between-l2tp_session_delete-and-l2tp_tunnel_closeall.patch usb-gadget-uac2-drop-unused-device-qualifier-descriptor.patch usb-gadget-printer-drop-unused-device-qualifier-descriptor.patch padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch +mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch -- 2.47.3