linux-vfio/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch

From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
From: Helge Deller <deller@gmx.de>
Date: Mon, 19 Jun 2017 17:34:05 +0200
Subject: [PATCH] Allow stack to grow up to address space limit

Fix expand_upwards() on architectures with an upward-growing stack (parisc,
metag and partly IA-64) to allow the stack to reliably grow exactly up to
the address space limit given by TASK_SIZE.

Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 mm/mmap.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index 290b77d9a01e0..a5e3dcd75e79f 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
 	if (!(vma->vm_flags & VM_GROWSUP))
 		return -EFAULT;
 
-	/* Guard against wrapping around to address 0. */
+	/* Guard against exceeding limits of the address space. */
 	address &= PAGE_MASK;
-	address += PAGE_SIZE;
-	if (!address)
+	if (address >= TASK_SIZE)
 		return -ENOMEM;
+	address += PAGE_SIZE;
 
 	/* Enforce stack_guard_gap */
 	gap_addr = address + stack_guard_gap;
-	if (gap_addr < address)
-		return -ENOMEM;
+
+	/* Guard against overflow */
+	if (gap_addr < address || gap_addr > TASK_SIZE)
+		gap_addr = TASK_SIZE;
+
 	next = vma->vm_next;
 	if (next && next->vm_start < gap_addr) {
 		if (!(next->vm_flags & VM_GROWSUP))
Update to 4.11.6-1 2017-06-23 03:51:45 +00:00			`From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001`
			`From: Helge Deller <deller@gmx.de>`
			`Date: Mon, 19 Jun 2017 17:34:05 +0200`
			`Subject: [PATCH] Allow stack to grow up to address space limit`

			`Fix expand_upwards() on architectures with an upward-growing stack (parisc,`
			`metag and partly IA-64) to allow the stack to reliably grow exactly up to`
			`the address space limit given by TASK_SIZE.`

			`Signed-off-by: Helge Deller <deller@gmx.de>`
			`Acked-by: Hugh Dickins <hughd@google.com>`
			`Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>`
			`---`
			`mm/mmap.c \| 13 ++++++++-----`
			`1 file changed, 8 insertions(+), 5 deletions(-)`

			`diff --git a/mm/mmap.c b/mm/mmap.c`
			`index 290b77d9a01e0..a5e3dcd75e79f 100644`
			`--- a/mm/mmap.c`
			`+++ b/mm/mmap.c`
			`@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)`
			`if (!(vma->vm_flags & VM_GROWSUP))`
			`return -EFAULT;`

			`- /* Guard against wrapping around to address 0. */`
			`+ /* Guard against exceeding limits of the address space. */`
			`address &= PAGE_MASK;`
			`- address += PAGE_SIZE;`
			`- if (!address)`
			`+ if (address >= TASK_SIZE)`
			`return -ENOMEM;`
			`+ address += PAGE_SIZE;`

			`/* Enforce stack_guard_gap */`
			`gap_addr = address + stack_guard_gap;`
			`- if (gap_addr < address)`
			`- return -ENOMEM;`
			`+`
			`+ /* Guard against overflow */`
			`+ if (gap_addr < address \|\| gap_addr > TASK_SIZE)`
			`+ gap_addr = TASK_SIZE;`
			`+`
			`next = vma->vm_next;`
			`if (next && next->vm_start < gap_addr) {`
			`if (!(next->vm_flags & VM_GROWSUP))`