security: protect from stack expantion into low vm addresses

patch 8869477a49c3e99def1fcdadd6bbc407fea14b45 in mainline. Add security checks to make sure we are not attempting to expand the stack into memory protected by mmap_min_addr Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Eric Paris <eparis@redhat.com> 2007-11-26 18:47:26 -0500
committer: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-08 12:01:44 -0800
commit: 0bab2ffb612cbc6b654d321848feb05c8bdbb029 (patch)
tree: d5417cb602995bddf81da398f00cf5f5a0fe15ca
parent: a0209f336a1dff0363b558a972eb71eef74e0084 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/mm/mmap.c b/mm/mmap.c
index 5c214334d89e..94326cb74f9b 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1619,6 +1619,12 @@ static inline int expand_downwards(struct vm_area_struct *vma,
 	 */
 	if (unlikely(anon_vma_prepare(vma)))
 		return -ENOMEM;
+
+	address &= PAGE_MASK;
+	error = security_file_mmap(0, 0, 0, 0, address, 1);
+	if (error)
+		return error;
+
 	anon_vma_lock(vma);
 
 	/*
@@ -1626,8 +1632,6 @@ static inline int expand_downwards(struct vm_area_struct *vma,
 	 * is required to hold the mmap_sem in read mode.  We need the
 	 * anon_vma lock to serialize against concurrent expand_stacks.
 	 */
-	address &= PAGE_MASK;
-	error = 0;
 
 	/* Somebody else might have raced and expanded it already */
 	if (address < vma->vm_start) {
author	Eric Paris <eparis@redhat.com>	2007-11-26 18:47:26 -0500
committer	Greg Kroah-Hartman <gregkh@suse.de>	2008-02-08 12:01:44 -0800
commit	0bab2ffb612cbc6b654d321848feb05c8bdbb029 (patch)
tree	d5417cb602995bddf81da398f00cf5f5a0fe15ca
parent	a0209f336a1dff0363b558a972eb71eef74e0084 (diff)