!13392 CVE-2024-47745 (e4ad5a7c) · Commits · EulixOS / Software / Kernel

mm/mmap.c

+51 −31

Original line number	Diff line number	Diff line
		@@ -3084,6 +3084,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
		unsigned long populate = 0;
		unsigned long ret = -EINVAL;
		struct file *file;
		vm_flags_t vm_flags;

		pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.\n",
		current->comm, current->pid);
		@@ -3100,15 +3101,60 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
		if (pgoff + (size >> PAGE_SHIFT) < pgoff)
		return ret;

		if (mmap_write_lock_killable(mm))
		if (mmap_read_lock_killable(mm))
		return -EINTR;

		vma = find_vma(mm, start);
		/*
		* Look up VMA under read lock first so we can perform the security
		* without holding locks (which can be problematic). We reacquire a
		* write lock later and check nothing changed underneath us.
		*/
		vma = vma_lookup(mm, start);

		if (!vma \|\| !(vma->vm_flags & VM_SHARED)) {
		mmap_read_unlock(mm);
		return -EINVAL;
		}

		prot \|= vma->vm_flags & VM_READ ? PROT_READ : 0;
		prot \|= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0;
		prot \|= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0;

		flags &= MAP_NONBLOCK;
		flags \|= MAP_SHARED \| MAP_FIXED \| MAP_POPULATE;
		if (vma->vm_flags & VM_LOCKED)
		flags \|= MAP_LOCKED;

		/* Save vm_flags used to calculate prot and flags, and recheck later. */
		vm_flags = vma->vm_flags;
		file = get_file(vma->vm_file);

		mmap_read_unlock(mm);

		/* Call outside mmap_lock to be consistent with other callers. */
		ret = security_mmap_file(file, prot, flags);
		if (ret) {
		fput(file);
		return ret;
		}

		ret = -EINVAL;

		if (!vma \|\| !(vma->vm_flags & VM_SHARED))
		/* OK security check passed, take write lock + let it rip. */
		if (mmap_write_lock_killable(mm)) {
		fput(file);
		return -EINTR;
		}

		vma = vma_lookup(mm, start);

		if (!vma)
		goto out;

		if (start < vma->vm_start)
		/* Make sure things didn't change under us. */
		if (vma->vm_flags != vm_flags)
		goto out;
		if (vma->vm_file != file)
		goto out;

		if (start + size > vma->vm_end) {
		@@ -3133,37 +3179,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
		goto out;
		}

		prot \|= vma->vm_flags & VM_READ ? PROT_READ : 0;
		prot \|= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0;
		prot \|= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0;

		flags &= MAP_NONBLOCK;
		flags \|= MAP_SHARED \| MAP_FIXED \| MAP_POPULATE;
		if (vma->vm_flags & VM_LOCKED) {
		struct vm_area_struct *tmp;
		flags \|= MAP_LOCKED;

		/* drop PG_Mlocked flag for over-mapped range */
		for (tmp = vma; tmp->vm_start >= start + size;
		tmp = tmp->vm_next) {
		/*
		* Split pmd and munlock page on the border
		* of the range.
		*/
		vma_adjust_trans_huge(tmp, start, start + size, 0);

		munlock_vma_pages_range(tmp,
		max(tmp->vm_start, start),
		min(tmp->vm_end, start + size));
		}
		}

		file = get_file(vma->vm_file);
		ret = do_mmap(vma->vm_file, start, size,
		prot, flags, pgoff, &populate, NULL);
		fput(file);
		out:
		mmap_write_unlock(mm);
		fput(file);
		if (populate)
		mm_populate(ret, populate);
		if (!IS_ERR_VALUE(ret))