security: protect from stack expantion into low vm addresses

patch 8869477a49c3e99def1fcdadd6bbc407fea14b45 in mainline.

Add security checks to make sure we are not attempting to expand the
stack into memory protected by mmap_min_addr

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/mm/mmap.c b/mm/mmap.c
index 5c214334d89e03a9997683792ef715eb938e5075..94326cb74f9bffcab39f93f8f5dfeecec7e68939 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1619,6 +1619,12 @@ static inline int expand_downwards(struct vm_area_struct *vma,
         */
        if (unlikely(anon_vma_prepare(vma)))
                return -ENOMEM;
+
+       address &= PAGE_MASK;
+       error = security_file_mmap(0, 0, 0, 0, address, 1);
+       if (error)
+               return error;
+
        anon_vma_lock(vma);
 
        /*
@@ -1626,8 +1632,6 @@ static inline int expand_downwards(struct vm_area_struct *vma,
         * is required to hold the mmap_sem in read mode.  We need the
         * anon_vma lock to serialize against concurrent expand_stacks.
         */
-       address &= PAGE_MASK;
-       error = 0;
 
        /* Somebody else might have raced and expanded it already */
        if (address < vma->vm_start) {