VM/Security: add security hook to do_brk

Given a specifically crafted binary do_brk() can be used to get low pages available in userspace virtual memory and can thus be used to circumvent the mmap_min_addr low memory protection. Add security checks in do_brk(). Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Alan Cox <alan@redhat.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

VM/Security: add security hook to do_brk
Given a specifically crafted binary do_brk() can be used to get low pages available in userspace virtual memory and can thus be used to circumvent the mmap_min_addr low memory protection. Add security checks in do_brk(). Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Alan Cox <alan@redhat.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ecaf18c1 · Eric Paris · Linus Torvalds · 294a80a8 · ecaf18c1
Commit ecaf18c1 authored Dec 04, 2007 by Eric Paris Committed by Linus Torvalds Dec 05, 2007
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

mm/mmap.c mm/mmap.c +4 -0

No files found.
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1934,6 +1934,10 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
 	if (is_hugepage_only_range(mm, addr, len))
 		return -EINVAL;
+	error = security_file_mmap(0, 0, 0, 0, addr, 1);
+	if (error)
+		return error;
 	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
 	error = arch_mmap_check(addr, len, flags);