sparc: Fix mmap VA span checking (CVE-2008-2137)

[backport of 2.6 commit 5816339310b2d9623cf413d33e538b45e815da5d]

We should not conditionalize VA range checks on MAP_FIXED.

Signed-off-by: David S. Miller <davem@davemloft.net>
[w@1wt.eu: sparc_mmap_check() does not exist in 2.4]
Signed-off-by: Willy Tarreau <w@1wt.eu>

2 files changed, 3 insertions, 5 deletions

diff --git a/arch/sparc/kernel/sys_sparc.c b/arch/sparc/kernel/sys_sparc.c
index 8cea16cff99816..67f6515c373611 100644
--- a/arch/sparc/kernel/sys_sparc.c
+++ b/arch/sparc/kernel/sys_sparc.c
@@ -235,8 +235,7 @@ static unsigned long do_mmap2(unsigned long addr, unsigned long len,
 	len = PAGE_ALIGN(len);
 	if (ARCH_SUN4C_SUN4 &&
 	    (len > 0x20000000 ||
-	     ((flags & MAP_FIXED) &&
-	      addr < 0xe0000000 && addr + len > 0x20000000)))
+	     (addr < 0xe0000000 && addr + len > 0x20000000)))
 		goto out_putf;
 
 	/* See asm-sparc/uaccess.h */
diff --git a/arch/sparc64/kernel/sys_sparc.c b/arch/sparc64/kernel/sys_sparc.c
index 03750c81cc1140..9eccd43f647da7 100644
--- a/arch/sparc64/kernel/sys_sparc.c
+++ b/arch/sparc64/kernel/sys_sparc.c
@@ -300,12 +300,11 @@ asmlinkage unsigned long sys_mmap(unsigned long addr, unsigned long len,
 
 	if (current->thread.flags & SPARC_FLAG_32BIT) {
 		if (len > 0xf0000000UL ||
-		    ((flags & MAP_FIXED) && addr > 0xf0000000UL - len))
+		    (addr > 0xf0000000UL - len))
 			goto out_putf;
 	} else {
 		if (len > -PAGE_OFFSET ||
-		    ((flags & MAP_FIXED) &&
-		     addr < PAGE_OFFSET && addr + len > -PAGE_OFFSET))
+		    (addr < PAGE_OFFSET && addr + len > -PAGE_OFFSET))
 			goto out_putf;
 	}