[PATCH] prevent do_brk() from allocating below mmap_min_addr

This is the 2.4 equivalent of the following 2.6 patch by Eric Paris :
ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5

Given a specifically crafted binary do_brk() can be used to get low
pages available in userspace virtually memory and can thus be used to
circumvent the mmap_min_addr low memory protection.  Add security checks
in do_brk().

Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/mm/mmap.c b/mm/mmap.c
index d35ff3e..536510a 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1073,6 +1073,9 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
        if ((addr + len) > TASK_SIZE || (addr + len) < addr)
                return -EINVAL;
 
+       if (addr < mmap_min_addr && !capable(CAP_SYS_RAWIO))
+               return -ENOMEM;
+
        /*
         * mlock MCL_FUTURE?
         */