blob: 028308670435e58a8287e9a1990debfd1c73acc7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
--- linux-2.4.22/mm/mremap.c 2004-02-14 03:16:22.000000000 +0100
+++ linux-2.4.22/mm/mremap.c.new 2004-02-14 03:30:23.000000000 +0100
@@ -256,6 +256,14 @@
if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
goto out;
+ /* security fix (CAN-2003-0985)
+ * Allow new_len == 0 only if new_addr == addr
+ * to preserve truncation in place (that was working
+ * safe and some app may depend on it).
+ * */
+ if (unlikely(!new_len && new_addr != addr))
+ goto out;
+
/* Check if the location we're moving into overlaps the
* old location at all, and fail if it does.
*/
|