[PATCH] x86_64: TASK_SIZE fixes for compatibility mode processes

A malicious 32bit app can have an elf section at 0xffffe000. During exec of this app, we will have a memory leak as insert_vm_struct() is not checking for return value in syscall32_setup_pages() and thus not freeing the vma allocated for the vsyscall page. Check the return value and free the vma incase of failure. Signed-off-by: N Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>

[PATCH] x86_64: TASK_SIZE fixes for compatibility mode processes
A malicious 32bit app can have an elf section at 0xffffe000. During exec of this app, we will have a memory leak as insert_vm_struct() is not checking for return value in syscall32_setup_pages() and thus not freeing the vma allocated for the vsyscall page. Check the return value and free the vma incase of failure. Signed-off-by: N Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>
9fb1759a · Siddha, Suresh B · Linus Torvalds · d6e18603 · 9fb1759a
隐藏空白更改
内联并排

Showing with 6 addition and 1 deletion

arch/x86_64/ia32/syscall32.c arch/x86_64/ia32/syscall32.c +6 -1

未找到文件。
--- a/arch/x86_64/ia32/syscall32.c
+++ b/arch/x86_64/ia32/syscall32.c
@@ -57,6 +57,7 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack)
 	int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT;
 	struct vm_area_struct *vma;
 	struct mm_struct *mm = current->mm;
+	int ret;

 	vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
 	if (!vma)
@@ -78,7 +79,11 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack)
 	vma->vm_mm = mm;

 	down_write(&mm->mmap_sem);
-	insert_vm_struct(mm, vma);
+	if ((ret = insert_vm_struct(mm, vma))) {
+		up_write(&mm->mmap_sem);
+		kmem_cache_free(vm_area_cachep, vma);
+		return ret;
+	}
 	mm->total_vm += npages;
 	up_write(&mm->mmap_sem);
 	return 0;