On 06.10.25 14:14, Ryan Roberts wrote:
On 06/10/2025 12:36, David Hildenbrand wrote:
On 03.10.25 17:52, Ryan Roberts wrote:
fsnotify_mmap_perm() requires a byte offset for the file about to be mmap'ed. But it is called from vm_mmap_pgoff(), which has a page offset. Previously the conversion was done incorrectly so let's fix it, being careful not to overflow on 32-bit platforms.
Discovered during code review.
Cc: stable@vger.kernel.org Fixes: 066e053fe208 ("fsnotify: add pre-content hooks on mmap()") Signed-off-by: Ryan Roberts ryan.roberts@arm.com
Applies against today's mm-unstable (aa05a436eca8).
Curious: is there some easy way to write a reproducer? Did you look into that?
I didn't; this was just a drive-by discovery.
It looks like there are some fanotify tests in the filesystems selftests; I guess they could be extended to add a regression test?
But FWIW, I think the kernel is just passing the ofset/length info off to user space and isn't acting on it itself. So there is no kernel vulnerability here.
Right, I'm rather wondering if this could have been caught earlier and how we could have caught it earlier :)