Merge tag 'v5.4-rc7' into android-mainline

Linux 5.4-rc7 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I505207a0a6f68ccc3519d7f190d8faf25d9d479a
2019-11-11 06:10:55 +01:00
parent 8c36c8518c 31f4f5b495
commit 682d8bf784
293 changed files with 5489 additions and 1067 deletions
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2568,7 +2568,35 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
 	return 0;
 }

-static bool clone3_args_valid(const struct kernel_clone_args *kargs)
+/**
+ * clone3_stack_valid - check and prepare stack
+ * @kargs: kernel clone args
+ *
+ * Verify that the stack arguments userspace gave us are sane.
+ * In addition, set the stack direction for userspace since it's easy for us to
+ * determine.
+ */
+static inline bool clone3_stack_valid(struct kernel_clone_args *kargs)
+{
+	if (kargs->stack == 0) {
+		if (kargs->stack_size > 0)
+			return false;
+	} else {
+		if (kargs->stack_size == 0)
+			return false;
+
+		if (!access_ok((void __user *)kargs->stack, kargs->stack_size))
+			return false;
+
+#if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_IA64)
+		kargs->stack += kargs->stack_size;
+#endif
+	}
+
+	return true;
+}
+
+static bool clone3_args_valid(struct kernel_clone_args *kargs)
 {
 	/*
 	 * All lower bits of the flag word are taken.
@@ -2588,6 +2616,9 @@ static bool clone3_args_valid(const struct kernel_clone_args *kargs)
 	    kargs->exit_signal)
 		return false;

+	if (!clone3_stack_valid(kargs))
+		return false;
+
 	return true;
 }