mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
a231f5bdfd
Commit3b3376f222("sysctl.c: fix underflow value setting risk in vm_table") fixes underflow value setting risk in vm_table but misses vdso_enabled sysctl. vdso_enabled sysctl is initialized with .extra1 value as SYSCTL_ZERO to avoid negative value writes but the proc_handler is proc_dointvec and not proc_dointvec_minmax and thus do not uses .extra1 and .extra2. The following command thus works : `# echo -1 > /proc/sys/vm/vdso_enabled` This patch properly sets the proc_handler to proc_dointvec_minmax. In addition to .extra1, .extra2 is set to SYSCTL_ONE. The sysctl is thus bounded between 0 and 1. Fixes:3b3376f222("sysctl.c: fix underflow value setting risk in vm_table") Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr> Reviewed-by: Jan Kara <jack@suse.cz> Reviewed-by: Kees Cook <kees@kernel.org> Signed-off-by: Joel Granados <joel.granados@kernel.org>
122 lines
2.7 KiB
C
122 lines
2.7 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* arch/sh/kernel/vsyscall/vsyscall.c
|
|
*
|
|
* Copyright (C) 2006 Paul Mundt
|
|
*
|
|
* vDSO randomization
|
|
* Copyright(C) 2005-2006, Red Hat, Inc., Ingo Molnar
|
|
*/
|
|
#include <linux/mm.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/init.h>
|
|
#include <linux/gfp.h>
|
|
#include <linux/module.h>
|
|
#include <linux/elf.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/sysctl.h>
|
|
#include <linux/err.h>
|
|
|
|
/*
|
|
* Should the kernel map a VDSO page into processes and pass its
|
|
* address down to glibc upon exec()?
|
|
*/
|
|
unsigned int __read_mostly vdso_enabled = 1;
|
|
EXPORT_SYMBOL_GPL(vdso_enabled);
|
|
|
|
static int __init vdso_setup(char *s)
|
|
{
|
|
vdso_enabled = simple_strtoul(s, NULL, 0);
|
|
return 1;
|
|
}
|
|
__setup("vdso=", vdso_setup);
|
|
|
|
static const struct ctl_table vdso_table[] = {
|
|
{
|
|
.procname = "vdso_enabled",
|
|
.data = &vdso_enabled,
|
|
.maxlen = sizeof(vdso_enabled),
|
|
.mode = 0644,
|
|
.proc_handler = proc_dointvec_minmax,
|
|
.extra1 = SYSCTL_ZERO,
|
|
.extra2 = SYSCTL_ONE,
|
|
},
|
|
};
|
|
|
|
/*
|
|
* These symbols are defined by vsyscall.o to mark the bounds
|
|
* of the ELF DSO images included therein.
|
|
*/
|
|
extern const char vsyscall_trapa_start, vsyscall_trapa_end;
|
|
static struct page *syscall_pages[1];
|
|
static struct vm_special_mapping vdso_mapping = {
|
|
.name = "[vdso]",
|
|
.pages = syscall_pages,
|
|
};
|
|
|
|
int __init vsyscall_init(void)
|
|
{
|
|
void *syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
|
|
syscall_pages[0] = virt_to_page(syscall_page);
|
|
|
|
/*
|
|
* XXX: Map this page to a fixmap entry if we get around
|
|
* to adding the page to ELF core dumps
|
|
*/
|
|
|
|
memcpy(syscall_page,
|
|
&vsyscall_trapa_start,
|
|
&vsyscall_trapa_end - &vsyscall_trapa_start);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int __init vm_sysctl_init(void)
|
|
{
|
|
register_sysctl_init("vm", vdso_table);
|
|
return 0;
|
|
}
|
|
|
|
fs_initcall(vm_sysctl_init);
|
|
|
|
/* Setup a VMA at program startup for the vsyscall page */
|
|
int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma;
|
|
unsigned long addr;
|
|
int ret;
|
|
|
|
if (mmap_write_lock_killable(mm))
|
|
return -EINTR;
|
|
|
|
addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
|
|
if (IS_ERR_VALUE(addr)) {
|
|
ret = addr;
|
|
goto up_fail;
|
|
}
|
|
|
|
vdso_mapping.pages = syscall_pages;
|
|
vma = _install_special_mapping(mm, addr, PAGE_SIZE,
|
|
VM_READ | VM_EXEC |
|
|
VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
|
|
&vdso_mapping);
|
|
ret = PTR_ERR(vma);
|
|
if (IS_ERR(vma))
|
|
goto up_fail;
|
|
|
|
current->mm->context.vdso = (void *)addr;
|
|
ret = 0;
|
|
|
|
up_fail:
|
|
mmap_write_unlock(mm);
|
|
return ret;
|
|
}
|
|
|
|
const char *arch_vma_name(struct vm_area_struct *vma)
|
|
{
|
|
if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
|
|
return "[vdso]";
|
|
|
|
return NULL;
|
|
}
|