NAK: [Focal] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

Seth Forshee seth.forshee at
Fri Mar 6 20:53:35 UTC 2020

On Fri, Feb 28, 2020 at 10:03:19AM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Catalin Marinas <catalin.marinas at>
> CVE-2020-9391
> Currently the arm64 kernel ignores the top address byte passed to brk(),
> mmap() and mremap(). When the user is not aware of the 56-bit address
> limit or relies on the kernel to return an error, untagging such
> pointers has the potential to create address aliases in user-space.
> Passing a tagged address to munmap(), madvise() is permitted since the
> tagged pointer is expected to be inside an existing mapping.
> The current behaviour breaks the existing glibc malloc() implementation
> which relies on brk() with an address beyond 56-bit to be rejected by
> the kernel.
> Remove untagging in the above functions by partially reverting commit
> ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> addition, update the arm64 tagged-address-abi.rst document accordingly.
> Link:
> Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> Cc: <stable at> # 5.4.x-
> Cc: Florian Weimer <fweimer at>
> Reviewed-by: Andrew Morton <akpm at>
> Reported-by: Victor Stinner <vstinner at>
> Acked-by: Will Deacon <will at>
> Acked-by: Andrey Konovalov <andreyknvl at>
> Signed-off-by: Catalin Marinas <catalin.marinas at>
> Signed-off-by: Will Deacon <will at>
> (cherry picked from commit dcde237319e626d1ec3c9d8b7613032f0fd4663a)
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at>

This patch has already been applied to focal from upstream stable

More information about the kernel-team mailing list