From: Danny Feng <dfeng@redhat.com> Date: Fri, 29 Jan 2010 09:26:37 -0500 Subject: [mm] switch do_brk to get_unmapped_area Message-id: <20100129092649.4587.94918.sendpatchset@dhcp-65-180.nay.redhat.com> Patchwork-id: 22996 O-Subject: [PATCH RHEL5.5 11/12 BZ556710 CVE-2010-0291] switch do_brk() to get_unmapped_area() Bugzilla: 556710 RH-Acked-by: Jarod Wilson <jarod@redhat.com> RH-Acked-by: Larry Woodman <lwoodman@redhat.com> backport of upstream commit 2c6a10161d0b5fc047b5bd81b03693b9af99fab5 Subject: [PATCH] switch do_brk() to get_unmapped_area() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> diff --git a/mm/mmap.c b/mm/mmap.c index d720106..84b1a65 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2037,18 +2037,14 @@ unsigned long do_brk(unsigned long addr, unsigned long len) if (!len) return addr; - if (((addr + len) > TASK_SIZE) || ((addr + len) < addr) || - is_hugepage_only_range(mm, addr, len)) - return -EINVAL; - error = security_file_mmap_addr(0, 0, 0, 0, addr, 1); if (error) return error; flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; - error = arch_mmap_check(addr, len, flags); - if (error) + error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED); + if (error & ~PAGE_MASK) return error; /*