Check that the permission of new user address does not exceed the permission of old user address for mremap syscall.
Signed-off-by: Amit Daniel Kachhap amit.kachhap@arm.com --- mm/mremap.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/mm/mremap.c b/mm/mremap.c index 6d92b233f0e6..fc0e5fb2508d 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -991,6 +991,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, user_addr, unsigned long, ol if (!capability_owns_range(user_new_addr, new_addr, new_len) || !(flags & MREMAP_FIXED)) goto out; + if ((cheri_perms_get(user_addr) | cheri_perms_get(user_new_addr)) + != cheri_perms_get(user_addr)) + goto out; vma_new = vma_lookup(mm, new_addr); if (!reserv_vma_range_fully_mapped(vma_new, new_addr, new_len)) { ret = -ERESERVATION;