Allow stack to grow up to address space limit

commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream. Fix expand_upwards() on architectures with an upward-growing stack (parisc, metag and partly IA-64) to allow the stack to reliably grow exactly up to the address space limit given by TASK_SIZE. Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: Hugh Dickins <hughd@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> CVE-2017-1000364 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org> Change-Id: I09ba5194a654bc3722f018063414169f0754b4d9 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2017-06-19 17:34:05 +02:00 · 2017-06-19 17:34:05 +02:00 · c701778327
parent 8f965fea40
commit c701778327
1 changed files with 8 additions and 5 deletions
--- a/mm/mmap.c
+++ b/mm/mmap.c
@ -1867,16 +1867,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
 	 * We must make sure the anon_vma is allocated
 	 * so that the anon_vma locking is not a noop.
 	 */
-	/* Guard against wrapping around to address 0. */
+	/* Guard against exceeding limits of the address space. */
 	address &= PAGE_MASK;
-	address += PAGE_SIZE;
-	if (!address)
+	if (address >= TASK_SIZE)
 		return -ENOMEM;
+	address += PAGE_SIZE;

 	/* Enforce stack_guard_gap */
 	gap_addr = address + stack_guard_gap;
-	if (gap_addr < address)
-		return -ENOMEM;
+
+	/* Guard against overflow */
+	if (gap_addr < address || gap_addr > TASK_SIZE)
+		gap_addr = TASK_SIZE;
+
 	next = vma->vm_next;
 	if (next && next->vm_start < gap_addr) {
 		if (!(next->vm_flags & VM_GROWSUP))