mm: avoid wrapping vm_pgoff in mremap()

commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream.

The normal mmap paths all avoid creating a mapping where the pgoff
inside the mapping could wrap around due to overflow.  However, an
expanding mremap() can take such a non-wrapping mapping and make it
bigger and cause a wrapping condition.

Noticed by Robert Swiecki when running a system call fuzzer, where it
caused a BUG_ON() due to terminally confusing the vma_prio_tree code.  A
vma dumping patch by Hugh then pinpointed the crazy wrapped case.

Reported-and-tested-by: Robert Swiecki <robert@swiecki.net>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[wt: 2.6.27 has this code in do_mremap()]

diff --git a/mm/mremap.c b/mm/mremap.c
index 63782eb8e5a88177fe2d667b3d6face2fa5f2832..a27c00798c2624496e6b56657be9d39a5e87e41a 100644 (file)
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -333,10 +333,21 @@ unsigned long do_mremap(unsigned long addr,
        /* We can't remap across vm area boundaries */
        if (old_len > vma->vm_end - addr)
                goto out;
-       if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
-               if (new_len > old_len)
+
+       /* Need to be careful about a growing mapping */
+       if (new_len > old_len) {
+               unsigned long pgoff;
+
+               if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
                        goto out;
+               pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
+               pgoff += vma->vm_pgoff;
+               if (pgoff + (new_len >> PAGE_SHIFT) < pgoff) {
+                       ret = -EINVAL;
+                       goto out;
+               }
        }
+
        if (vma->vm_flags & VM_LOCKED) {
                unsigned long locked, lock_limit;
                locked = mm->locked_vm << PAGE_SHIFT;