From: "Eric W. Biederman" ebiederm@xmission.com
stable inclusion from stable-v5.10.110 commit b043ae637a83585b2a497c2eb7ee49446fc68e98 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6KT9C CVE: CVE-2023-1249
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 49c1866348f364478a0c4d3dd13fd08bb82d3a5b upstream.
The condition is impossible and to the best of my knowledge has never triggered.
We are in deep trouble if that conditions happens and we walk past the end of our allocated array.
So delete the WARN_ON and the code that makes it look like the kernel can handle the case of walking past the end of it's vma_meta array.
Reviewed-by: Jann Horn jannh@google.com Reviewed-by: Kees Cook keescook@chromium.org Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Li Huafei lihuafei1@huawei.com Reviewed-by: Xu Kuohai xukuohai@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Jialin Zhang zhangjialin11@huawei.com --- fs/coredump.c | 6 ------ 1 file changed, 6 deletions(-)
diff --git a/fs/coredump.c b/fs/coredump.c index dd2445df9e51..1b4a521f85f8 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -1130,12 +1130,6 @@ static bool dump_vma_snapshot(struct coredump_params *cprm)
mmap_write_unlock(mm);
- if (WARN_ON(i != cprm->vma_count)) { - kvfree(cprm->vma_meta); - return false; - } - - for (i = 0; i < cprm->vma_count; i++) { struct core_vma_metadata *m = cprm->vma_meta + i;