Headline
CVE-2019-9213: mm: enforce min addr even if capable() in expand_downwards() · torvalds/linux@0a1d529
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
Permalink
Browse files
mm: enforce min addr even if capable() in expand_downwards()
security_mmap_addr() does a capability check with current_cred(), but we can reach this code from contexts like a VFS write handler where current_cred() must not be used.
This can be abused on systems without SMAP to make NULL pointer dereferences exploitable again.
Fixes: 8869477 (“security: protect from stack expansion into low vm addresses”) Cc: [email protected] Signed-off-by: Jann Horn [email protected] Signed-off-by: Linus Torvalds [email protected]
- Loading branch information