From 7109a2536c95d4c3a438b22e8d176859f76e6d25 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 22 May 2019 12:50:23 +0200 Subject: mm: CVE-2019-9213 mm: enforce min addr even if capable() in expand_downwards() Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-9213 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=f5817069248630b3b7b17ebfcdee0b679c52be33 Change-Id: I13dc9fc12825a3c83dc695b7dc4bb7724048d562 Signed-off-by: Andreas Wellving --- ...min-addr-even-if-capable-in-expand_downwa.patch | 50 ++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch new file mode 100644 index 0000000..3552669 --- /dev/null +++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch @@ -0,0 +1,50 @@ +From f5817069248630b3b7b17ebfcdee0b679c52be33 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 27 Feb 2019 21:29:52 +0100 +Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards() + +commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream. + +security_mmap_addr() does a capability check with current_cred(), but +we can reach this code from contexts like a VFS write handler where +current_cred() must not be used. + +This can be abused on systems without SMAP to make NULL pointer +dereferences exploitable again. + +CVE: CVE-2019-9213 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=f5817069248630b3b7b17ebfcdee0b679c52be33] + +Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + mm/mmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 2398776195d2..00dab291e61d 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2348,12 +2348,11 @@ int expand_downwards(struct vm_area_struct *vma, + { + struct mm_struct *mm = vma->vm_mm; + struct vm_area_struct *prev; +- int error; ++ int error = 0; + + address &= PAGE_MASK; +- error = security_mmap_addr(address); +- if (error) +- return error; ++ if (address < mmap_min_addr) ++ return -EPERM; + + /* Enforce stack_guard_gap */ + prev = vma->vm_prev; +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf