[Devel] [PATCH RHEL7 COMMIT] prctl: Fix false positive in validate_prctl_map

Konstantin Khorenko khorenko at virtuozzo.com
Thu Apr 11 13:00:28 MSK 2019 

The commit is pushed to "branch-rh7-3.10.0-957.10.1.vz7.94.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-957.10.1.vz7.94.12
------>
commit 7ac4df2b35d3f6a85433711760a675b68cc8afd8
Author: Kirill Gorkunov <gorcunov at virtuozzo.com>
Date:   Thu Apr 11 13:00:25 2019 +0300

    prctl: Fix false positive in validate_prctl_map
    
    While validating new map we require the @start_data to be strictly less
    than @end_data, which is fine for regular applications (this is why this
    nit didn't trigger for that long). These members are set from executable
    loaders such as elf halders, still it is pretty valid to have a loadable
    data section with zero size in file, in such case the start_data is equal
    to end_data once kernel loader finishes.
    
    In result when we'are trying to restore such program the procedure fails
    and kernel returns -EINVAL. From the image dump of a program:
    
     | "mm_start_code": "0x400000",
     | "mm_end_code": "0x8f5fb4",
     | "mm_start_data": "0xf1bfb0",
     | "mm_end_data": "0xf1bfb0",
    
    Thus we need to change validate_prctl_map from strictly less to less or
    equal operator use.
    
    https://jira.sw.ru/browse/PSBM-93526
    
    Fixes: f606b77f1a9e362451aca8f81d8f36a3a112139e
    Signed-off-by: Cyrill Gorcunov <gorcunov at gmail.com>
    
    The patch is taken into linux-next:
    http://git.cmpxchg.org/cgit.cgi/linux-mmotm.git/commit/?id=93898d5bbe0677fc34de280c94af163055f16082
---
 kernel/sys.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index b96b8814f252..48e69514b466 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2153,7 +2153,7 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)
 	((unsigned long)prctl_map->__m1 __op				\
 	 (unsigned long)prctl_map->__m2) ? 0 : -EINVAL
 	error  = __prctl_check_order(start_code, <, end_code);
-	error |= __prctl_check_order(start_data, <, end_data);
+	error |= __prctl_check_order(start_data,<=, end_data);
 	error |= __prctl_check_order(start_brk, <=, brk);
 	error |= __prctl_check_order(arg_start, <=, arg_end);
 	error |= __prctl_check_order(env_start, <=, env_end);

More information about the Devel mailing list