mm: CVE-2019-9213

mm: enforce min addr even if capable() in expand_downwards()

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-9213
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9

Change-Id: I63e9ecc3091d8c0ff8bc9de49680fe4e7632eb81
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 53 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 2794efe..99eb8ce 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -31,3 +31,6 @@ patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch
 
 #CVEs fixed in 4.9.151:
 patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch
+
+#CVEs fixed in 4.9.162:
+patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
new file mode 100644
index 0000000..f709596
--- /dev/null
+++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
@@ -0,0 +1,50 @@
+From 331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards()
+
+commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
+
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+
+CVE: CVE-2019-9213
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9]
+
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ mm/mmap.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 283755645d17..3f2314ad6acd 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_struct *vma,
+        struct mm_struct *mm = vma->vm_mm;
+        struct vm_area_struct *prev;
+        unsigned long gap_addr;
+-       int error;
++       int error = 0;
+ 
+        address &= PAGE_MASK;
+-       error = security_mmap_addr(address);
+-       if (error)
+-               return error;
++       if (address < mmap_min_addr)
++               return -EPERM;
+ 
+        /* Enforce stack_guard_gap */
+        gap_addr = address - stack_guard_gap;
+-- 
+2.20.1
+