[POWERPC] spufs: avoid accessing kernel memory through mmapped /mem node

I found an exploit in current kernel. Currently, there is no range check about mmapping "/mem" node in spufs. Thus, an application can access privilege memory region. In case this kernel already worked on a public server, I send this information only here. If there are such servers in somewhere, please replace it, ASAP. Signed-off-by: Masato Noguchi <Masato.Noguchi@jp.sony.com> Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>

[POWERPC] spufs: avoid accessing kernel memory through mmapped /mem node
I found an exploit in current kernel. Currently, there is no range check about mmapping "/mem" node in spufs. Thus, an application can access privilege memory region. In case this kernel already worked on a public server, I send this information only here. If there are such servers in somewhere, please replace it, ASAP. Signed-off-by: Masato Noguchi <Masato.Noguchi@jp.sony.com> Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
128b8546 · Masato Noguchi · Arnd Bergmann · 2eb1b120 · 128b8546
Commit 128b8546 authored Feb 13, 2007 by Masato Noguchi Committed by Arnd Bergmann Feb 13, 2007
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

arch/powerpc/platforms/cell/spufs/file.c arch/powerpc/platforms/cell/spufs/file.c +3 -0

No files found.
--- a/arch/powerpc/platforms/cell/spufs/file.c
+++ b/arch/powerpc/platforms/cell/spufs/file.c
@@ -103,6 +103,9 @@ static unsigned long spufs_mem_mmap_nopfn(struct vm_area_struct *vma,

 	offset += vma->vm_pgoff << PAGE_SHIFT;

+	if (offset >= LS_SIZE)
+		return NOPFN_SIGBUS;
+
 	spu_acquire(ctx);

 	if (ctx->state == SPU_STATE_SAVED) {