From patchwork Wed Oct 10 15:27:36 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 10634763
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 96BF946E4
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Wed, 10 Oct 2018 15:27:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB1F828FCD
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Wed, 10 Oct 2018 15:27:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BEBC92A6CB; Wed, 10 Oct 2018 15:27:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4FE5228FCD
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Wed, 10 Oct 2018 15:27:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 32D8D6B026F; Wed, 10 Oct 2018 11:27:49 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2B3B66B0270; Wed, 10 Oct 2018 11:27:49 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 17D1E6B0271; Wed, 10 Oct 2018 11:27:49 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-it1-f199.google.com (mail-it1-f199.google.com
 [209.85.166.199])
	by kanga.kvack.org (Postfix) with ESMTP id E235B6B026F
	for <linux-mm@kvack.org>; Wed, 10 Oct 2018 11:27:48 -0400 (EDT)
Received: by mail-it1-f199.google.com with SMTP id p125-v6so6301964itg.1
        for <linux-mm@kvack.org>; Wed, 10 Oct 2018 08:27:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:date:message-id:mime-version
         :subject:from:to:cc;
        bh=kivcnfXf32/28cK0PBuqzT+DI9LbP01VfQkFJYq0CG8=;
        b=JneObsEiuezIFn9K4AxZCObKWTlkxHE3WkII9nSkwO0VV6fEnuO0Q6L7kKANb8CX9o
         7w3NsrvxXs4eJw1i+5J1mlW5IpzufBnDwUAwAE4HWnGmJHIDi5CcdlYEXkmuVvJzStgF
         xoz4FxTqAQcIRwet9I2BdPbWF3w+j7WIpwUG/kntbSHWkmavtAIjRaz+eN6W+c3zx9iJ
         eZUj2Czl8z5ofe46XoiGKkch/7yIhoc3GOyP2FhawZ867Ymuw3RZC/iyhUu2ktAzZ7cM
         dDrMOW2lb15eVj+jmLgWtlgjrhJxegxscrwP5hyuW4Xl5aECrNSlNGw/YeHkO6liPjUv
         3/Hg==
X-Gm-Message-State: ABuFfoivYK3UHY4BhIQ3HNyi8UrYwnTWeseMFXKNmNdDbkPuDhp6Osj/
	yxWJX35AlA7YLg6Pfy+36A2sFQNpMBxHT0fFd+e+YxyFdYGYN2QH6ED0oGdmCKc7KTb1UkSOAEy
	X9HA2NBUhAOuwKVz0I/hGu9nZUc5F+sBgyPG7xw1Y2irU5d8Xzge6IZ00bOuMPSyRywj4i6+W/6
	5q4+gzt59YY3Q7qXKx1bsrVNEuT7moOCohzQ0wQyterHFbS/QsgaAm21IGWesb8PtJxR0H9yjzM
	pRAaE3SaauDr4z5RzuoTI8Pgg3VlgbEdddTcQFlPY9ce7F4VBkM1qZ+QRs9NT54ZPuImabbU5Zy
	ZZqamtY9b0nyOpR874fIWTBT7lv72EhGzp7vhTChu4nZrU7jQ07MMj2hZ2rj3aDG5tUTnUAPdZO
	wyY43HjTQNdhiiiKm1SMhS7GP5B3R6yEgFoq5vMocAQu7Uzls6JzcfXkqor97W6j+lz8ibd1OH9
	V/m3UDu4JDWcB2Slu6PY9q7dRy0PxQhj+Qlv6y3681p5AZ6cdR16uY8axWdwLpL6RUADs+wcFKz
	OM45vyBkRptdasSrV7jeABeLSRj92cKvIf5SdX993J8KuGYMj/GGGkr3bs9yPWA96eR8lf6kd5u
	MM9sBcmg7n1zSvGd5w7i9gXth3orYiqZs5dHO6+ySQjxevaQxxDifeZlF+LxejmY+Iqk3HcBakP
	R
X-Received: by 2002:a02:5fc7:: with SMTP id
 x68-v6mr26502565jad.75.1539185268673;
        Wed, 10 Oct 2018 08:27:48 -0700 (PDT)
X-Received: by 2002:a02:5fc7:: with SMTP id
 x68-v6mr26502524jad.75.1539185267923;
        Wed, 10 Oct 2018 08:27:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539185267; cv=none;
        d=google.com; s=arc-20160816;
        b=XEld3SR9ZQEfrB4095siM7gr34lfXvUCdBvSPlloxP7kavnN8VLSxGkD6E5gZ8kSyV
         ZwVZ+0cfsbq+tt1foeUTHzQWxkimJIAWMwNWTwUSBwiJDAulAYxodJXrH1iSTBTu9/oQ
         jf6QO0E7qnRthyt3nzRqFaQqbUZM9f8O4iXI4cZpmQnzKTgWPDqlM3ri/OxllMLaZxca
         bJzDip4W1psZgmraFSnNCoSEPEELlQ3gAmanUsAmZ8SExcmS+Dlj+gLXqRL8gT72jjyq
         gogNOgzH06nyT2A8xPs8HYiiVzIB6KZCJSLxTI/5RX93VxETKducJK40snSegwSQE58Q
         TyBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=cc:to:from:subject:mime-version:message-id:date:dkim-signature;
        bh=kivcnfXf32/28cK0PBuqzT+DI9LbP01VfQkFJYq0CG8=;
        b=TEfZUUxNnSnN3Ak2ayu99VNosVRmEp//4srp85WRFcOld8/8rhksEUFYCXOLbRseJ3
         X4t0zl3cpepo1z+bv4CR3CE4pb4G/ZNiQJYuAtqVqzh1Q7xJrEd5gN/c5XLdPFQaqj1m
         1M5HJpCGjIHlBB49QkHMX61VzWujKI8V71FecE09c2koe3wrn8cq3evCKxhbva+D71nc
         m5cDuNFu4SlXBIBuad3EANqihJi3vaMHf7XO52LtRGClxg9PGKvS0FR/VI7tom+JWuFN
         T2wHqDPMWnfQzkRp4qkR2PBvR1dLCZan4130dehtX3A8jN6Uze3+02Eere9Oy7SjIo38
         ecQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=HozdGy7h;
       spf=pass (google.com: domain of
 3cxq-wwukciqrivvpowwotm.kwutqv25-uus3iks.wzo@flex--jannh.bounces.google.com
 designates 209.85.220.73 as permitted sender)
 smtp.mailfrom=3cxq-WwUKCIQrivvpowwotm.kwutqv25-uus3iks.wzo@flex--jannh.bounces.google.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from mail-sor-f73.google.com (mail-sor-f73.google.com.
 [209.85.220.73])
        by mx.google.com with SMTPS id
 c203-v6sor12081564itb.30.2018.10.10.08.27.47
        for <linux-mm@kvack.org>
        (Google Transport Security);
        Wed, 10 Oct 2018 08:27:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 3cxq-wwukciqrivvpowwotm.kwutqv25-uus3iks.wzo@flex--jannh.bounces.google.com
 designates 209.85.220.73 as permitted sender) client-ip=209.85.220.73;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=HozdGy7h;
       spf=pass (google.com: domain of
 3cxq-wwukciqrivvpowwotm.kwutqv25-uus3iks.wzo@flex--jannh.bounces.google.com
 designates 209.85.220.73 as permitted sender)
 smtp.mailfrom=3cxq-WwUKCIQrivvpowwotm.kwutqv25-uus3iks.wzo@flex--jannh.bounces.google.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=kivcnfXf32/28cK0PBuqzT+DI9LbP01VfQkFJYq0CG8=;
        b=HozdGy7hLxz7k1Kkv8W8oC2b40PJVR2v5f7QP7jeftdEGlHP57K1TAhjGMRwftD4e5
         88tM93trAu/TYXAMiA2MRdTP9as6HA8sBZwAUwRPfU68JdcP0/bClohGycoMkVPPWNUa
         QGiJ35UUdjWE7ewklScAkISXLgUqMMO/dGEKsABplBPElclaLGywXucH761hocDIT0rQ
         FLsJK2VR0WHjZh/LO8XrZxsjkxxl3PLWN6rvASnfE1rGO1gu/ik0fhnH4309Zw4yh+Iz
         kKavir1Sz3w/kWQNHucbMbwdh/K7sjV/750eSfE0sXIac8LnRzs2yEt3p/H/Zz9vNg57
         l9Zw==
X-Google-Smtp-Source: 
 ACcGV63VtmATJ1ubsb4krdgwwlWxQ+hhBrfpXngDDjdDw5VmcaLXmBJ7P/Qm1DwsvtT34QxZkUil9cqgpg==
X-Received: by 2002:a24:3949:: with SMTP id
 l70-v6mr1083879ita.6.1539185267566;
 Wed, 10 Oct 2018 08:27:47 -0700 (PDT)
Date: Wed, 10 Oct 2018 17:27:36 +0200
Message-Id: <20181010152736.99475-1-jannh@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog
Subject: [PATCH] mm: don't clobber partially overlapping VMA with
 MAP_FIXED_NOREPLACE
From: Jann Horn <jannh@google.com>
To: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
 jannh@google.com
Cc: Khalid Aziz <khalid.aziz@oracle.com>, Michal Hocko <mhocko@suse.com>,
  Michael Ellerman <mpe@ellerman.id.au>,
 Russell King - ARM Linux <linux@armlinux.org.uk>,
  Andrea Arcangeli <aarcange@redhat.com>, Florian Weimer <fweimer@redhat.com>,
  John Hubbard <jhubbard@nvidia.com>, Matthew Wilcox <willy@infradead.org>,
  Abdul Haleem <abdhalee@linux.vnet.ibm.com>, Joel Stanley <joel@jms.id.au>,
  Kees Cook <keescook@chromium.org>, Jason Evans <jasone@google.com>,
  David Goldblatt <davidtgoldblatt@gmail.com>,  " =?utf-8?q?Edward_Tomasz_Na?=
	=?utf-8?q?piera=C5=82a?= " <trasz@FreeBSD.org>,
 Anshuman Khandual <khandual@linux.vnet.ibm.com>,
  Daniel Micay <danielmicay@gmail.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000011, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Daniel Micay reports that attempting to use MAP_FIXED_NOREPLACE in an
application causes that application to randomly crash. The existing check
for handling MAP_FIXED_NOREPLACE looks up the first VMA that either
overlaps or follows the requested region, and then bails out if that VMA
overlaps *the start* of the requested region. It does not bail out if the
VMA only overlaps another part of the requested region.

Fix it by checking that the found VMA only starts at or after the end of
the requested region, in which case there is no overlap.

Reported-by: Daniel Micay <danielmicay@gmail.com>
Fixes: a4ff8e8620d3 ("mm: introduce MAP_FIXED_NOREPLACE")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
---
 mm/mmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index 5f2b2b184c60..f7cd9cb966c0 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1410,7 +1410,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr,
 	if (flags & MAP_FIXED_NOREPLACE) {
 		struct vm_area_struct *vma = find_vma(mm, addr);
 
-		if (vma && vma->vm_start <= addr)
+		if (vma && vma->vm_start < addr + len)
 			return -EEXIST;
 	}