Check that the permission of the new user address does not exceed the permission of old user address for mremap syscall.
Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mremap.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/mm/mremap.c b/mm/mremap.c index fb648147b5d4..e3b67f55f2d8 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1091,6 +1091,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, user_ptr, unsigned long, old if (flags & MREMAP_FIXED) { if (!check_user_ptr_owning(new_user_ptr, new_addr, new_len)) goto out; + if ((cheri_perms_get(user_ptr) | cheri_perms_get(new_user_ptr)) + != cheri_perms_get(user_ptr)) + goto out; if (!reserv_vmi_cap_within_reserv(&vmi, new_user_ptr, true)) { ret = -ERESERVATION; goto out;