swapfile: fix memory corruption via malformed swapfile - linux

diff options

author	Jann Horn <jann@thejh.net>	2016-11-10 19:46:19 +0100
committer	Linus Torvalds <torvalds@linux-foundation.org>	2016-11-11 17:12:37 +0100
commit	dd111be69114cc867f8e826284559bfbc1c40e37 (patch)
tree	bd245104ef2c79a3aaa1fe61ff3c2c6a13744736 /mm/madvise.c
parent	mm/cma.c: check the max limit for cma allocation (diff)
download	linux-dd111be69114cc867f8e826284559bfbc1c40e37.tar.xz linux-dd111be69114cc867f8e826284559bfbc1c40e37.zip

swapfile: fix memory corruption via malformed swapfile

When root activates a swap partition whose header has the wrong endianness, nr_badpages elements of badpages are swabbed before nr_badpages has been checked, leading to a buffer overrun of up to 8GB. This normally is not a security issue because it can only be exploited by root (more specifically, a process with CAP_SYS_ADMIN or the ability to modify a swap file/partition), and such a process can already e.g. modify swapped-out memory of any other userspace process on the system. Link: http://lkml.kernel.org/r/1477949533-2509-1-git-send-email-jann@thejh.net Signed-off-by: Jann Horn <jann@thejh.net> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Jerome Marchand <jmarchan@redhat.com> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Hugh Dickins <hughd@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'mm/madvise.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: