1 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
new file mode 100644
index 0000000..f709596
--- /dev/null
+++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
@@ -0,0 +1,50 @@
+From 331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards()
+commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+CVE: CVE-2019-9213
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9]
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ mm/mmap.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 283755645d17..3f2314ad6acd 100644
+--- a/mm/mmap.c
+++ b/mm/mmap.c
+@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_struct *vma,
+        struct mm_struct *mm = vma->vm_mm;
+        struct vm_area_struct *prev;
+        unsigned long gap_addr;
+-       int error;
+       int error = 0;
+ 
+        address &= PAGE_MASK;
+-       error = security_mmap_addr(address);
+-       if (error)
+-               return error;
+       if (address < mmap_min_addr)
+               return -EPERM;
+ 
+        /* Enforce stack_guard_gap */
+        gap_addr = address - stack_guard_gap;
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch new file mode 100644 index 0000000..f709596 --- /dev/null +++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
@@ -0,0 +1,50 @@
	1	From 331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Mon Sep 17 00:00:00 2001
	2	From: Jann Horn <jannh@google.com>
	3	Date: Wed, 27 Feb 2019 21:29:52 +0100
	4	Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards()
	5
	6	commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
	7
	8	security_mmap_addr() does a capability check with current_cred(), but
	9	we can reach this code from contexts like a VFS write handler where
	10	current_cred() must not be used.
	11
	12	This can be abused on systems without SMAP to make NULL pointer
	13	dereferences exploitable again.
	14
	15	CVE: CVE-2019-9213
	16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9]
	17
	18	Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
	19	Cc: stable@kernel.org
	20	Signed-off-by: Jann Horn <jannh@google.com>
	21	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	24	---
	25	mm/mmap.c \| 7 +++----
	26	1 file changed, 3 insertions(+), 4 deletions(-)
	27
	28	diff --git a/mm/mmap.c b/mm/mmap.c
	29	index 283755645d17..3f2314ad6acd 100644
	30	--- a/mm/mmap.c
	31	+++ b/mm/mmap.c
	32	@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_struct *vma,
	33	struct mm_struct *mm = vma->vm_mm;
	34	struct vm_area_struct *prev;
	35	unsigned long gap_addr;
	36	- int error;
	37	+ int error = 0;
	38
	39	address &= PAGE_MASK;
	40	- error = security_mmap_addr(address);
	41	- if (error)
	42	- return error;
	43	+ if (address < mmap_min_addr)
	44	+ return -EPERM;
	45
	46	/* Enforce stack_guard_gap */
	47	gap_addr = address - stack_guard_gap;
	48	--
	49	2.20.1
	50