3.18-stable review patch. If anyone has any objections, please let me know.
------------------ From: Jann Horn <j...@thejh.net> commit dd111be69114cc867f8e826284559bfbc1c40e37 upstream. When root activates a swap partition whose header has the wrong endianness, nr_badpages elements of badpages are swabbed before nr_badpages has been checked, leading to a buffer overrun of up to 8GB. This normally is not a security issue because it can only be exploited by root (more specifically, a process with CAP_SYS_ADMIN or the ability to modify a swap file/partition), and such a process can already e.g. modify swapped-out memory of any other userspace process on the system. Link: http://lkml.kernel.org/r/1477949533-2509-1-git-send-email-j...@thejh.net Signed-off-by: Jann Horn <j...@thejh.net> Acked-by: Kees Cook <keesc...@chromium.org> Acked-by: Jerome Marchand <jmarc...@redhat.com> Acked-by: Johannes Weiner <han...@cmpxchg.org> Cc: "Kirill A. Shutemov" <kirill.shute...@linux.intel.com> Cc: Vlastimil Babka <vba...@suse.cz> Cc: Hugh Dickins <hu...@google.com> Signed-off-by: Andrew Morton <a...@linux-foundation.org> Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> --- mm/swapfile.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2184,6 +2184,8 @@ static unsigned long read_swap_header(st swab32s(&swap_header->info.version); swab32s(&swap_header->info.last_page); swab32s(&swap_header->info.nr_badpages); + if (swap_header->info.nr_badpages > MAX_SWAP_BADPAGES) + return 0; for (i = 0; i < swap_header->info.nr_badpages; i++) swab32s(&swap_header->info.badpages[i]); }
