proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020 ubuntu-natty_ti-omap4
authorLinus Torvalds <torvalds@linux-foundation.org>
Mon, 29 Aug 2011 15:11:07 +0000 (12:11 -0300)
committerTim Gardner <tim.gardner@canonical.com>
Mon, 29 Aug 2011 15:48:33 +0000 (09:48 -0600)
commit3ce9e25f213280d2e0d149b620f734e70400ff5e
tree8113cd9c16c7cd105c9e283805adbaa8bea1329f
parent17428fd2e7940468fe91beaa5ea720185b7c8c8c
proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020

When m_start returns an error, the seq_file logic will still call m_stop
with that error entry, so we'd better make sure that we check it before
using it as a vma.

Introduced by commit ec6fd8a4355c ("report errors in /proc/*/*map*
sanely"), which replaced NULL with various ERR_PTR() cases.

(On ia64, you happen to get a unaligned fault instead of a page fault,
since the address used is generally some random error code like -EPERM)

Reported-by: Anca Emanuel <anca.emanuel@gmail.com>
Reported-by: Tony Luck <tony.luck@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Américo Wang <xiyou.wangcong@gmail.com>
Cc: Stephen Wilson <wilsons@start.ca>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 76597cd31470fa130784c78fadb4dab2e624a723)
CVE-2011-1020
BugLink: http://bugs.launchpad.net/bugs/813026
Signed-off-by: Herton R. Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
fs/proc/task_mmu.c