shmat()'s SHM_REMAP option forbids passing a nil address for; this
is in fact the very first thing we check for. Andrea reported that
for SHM_RND|SHM_REMAP cases we can end up bypassing the initial
addr check, but we need to check again if the address was rounded
down to nil. As of this patch, such cases will return -EINVAL.
Reported-by: Andrea Arcangeli <aarca...@redhat.com>
Signed-off-by: Davidlohr Bueso <dbu...@suse.de>
---
ipc/shm.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/ipc/shm.c b/ipc/shm.c
index b81d53c8f459..29978ee76c2e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1371,9 +1371,17 @@ long do_shmat(int shmid, char __user *shmaddr, int
shmflg,
if (addr) {
if (addr & (shmlba - 1)) {
- if (shmflg & SHM_RND)
+ if (shmflg & SHM_RND) {
addr &= ~(shmlba - 1); /* round down */
- else
+
+ /*
+ * Ensure that the round-down is non-nil
+ * when remapping. This can happen for
+ * cases when addr < shmlba.
+ */
+ if (!addr && (shmflg & SHM_REMAP))
+ goto out;
+ } else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)
#endif
--
2.13.6
