From: Siddha, Suresh B Date: Sat, 16 Jul 2005 02:17:44 +0000 (-0700) Subject: [PATCH] x86_64: TASK_SIZE fixes for compatibility mode processes X-Git-Tag: v2.6.13-rc4~91 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fb1759a3102c26cd8f64254a7c3e532782c2bb8;p=linux-2.6 [PATCH] x86_64: TASK_SIZE fixes for compatibility mode processes A malicious 32bit app can have an elf section at 0xffffe000. During exec of this app, we will have a memory leak as insert_vm_struct() is not checking for return value in syscall32_setup_pages() and thus not freeing the vma allocated for the vsyscall page. Check the return value and free the vma incase of failure. Signed-off-by: Suresh Siddha Signed-off-by: Linus Torvalds --- diff --git a/arch/x86_64/ia32/syscall32.c b/arch/x86_64/ia32/syscall32.c index 01d8db1a1c..816a3b89f1 100644 --- a/arch/x86_64/ia32/syscall32.c +++ b/arch/x86_64/ia32/syscall32.c @@ -57,6 +57,7 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack) int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT; struct vm_area_struct *vma; struct mm_struct *mm = current->mm; + int ret; vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); if (!vma) @@ -78,7 +79,11 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack) vma->vm_mm = mm; down_write(&mm->mmap_sem); - insert_vm_struct(mm, vma); + if ((ret = insert_vm_struct(mm, vma))) { + up_write(&mm->mmap_sem); + kmem_cache_free(vm_area_cachep, vma); + return ret; + } mm->total_vm += npages; up_write(&mm->mmap_sem); return 0;