From: Oleg Nesterov <oleg@redhat.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Andi Kleen <andi@firstfloor.org>,
Colin Walters <walters@verbum.org>,
Denys Vlasenko <vda.linux@googlemail.com>,
Jiri Slaby <jslaby@suse.cz>,
Lennart Poettering <mzxreary@0pointer.de>,
Lucas De Marchi <lucas.de.marchi@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
security@kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 1/1] usermodehelper: check subprocess_info->path != NULL
Date: Thu, 16 May 2013 17:43:55 +0200 [thread overview]
Message-ID: <20130516154355.GB19060@redhat.com> (raw)
In-Reply-To: <20130516154323.GA19060@redhat.com>
argv_split(empty_or_all_spaces) happily succeeds, it simply returns
argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to
check sub_info->path != NULL to avoid the crash.
This is the minimal fix, todo:
- perhaps we should change argv_split() to return NULL or
change the callers.
- kill or justify ->path[0] check
- narrow the scope of helper_lock()
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
---
kernel/kmod.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 1296e72..8241906 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -569,6 +569,11 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait)
int retval = 0;
helper_lock();
+ if (!sub_info->path) {
+ retval = -EINVAL;
+ goto out;
+ }
+
if (sub_info->path[0] == '\0')
goto out;
--
1.5.5.1
next prev parent reply other threads:[~2013-05-16 15:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-15 20:11 [PATCH 0/6] coredump: format_corename() fixes/cleanups Oleg Nesterov
2013-05-15 20:12 ` [PATCH 1/6] coredump: format_corename() can leak cn->corename Oleg Nesterov
2013-05-15 20:12 ` [PATCH 2/6] coredump: introduce cn_vprintf() Oleg Nesterov
2013-05-15 20:12 ` [PATCH 3/6] coredump: cn_vprintf() has no reason to call vsnprintf() twice Oleg Nesterov
2013-05-15 20:12 ` [PATCH 4/6] coredump: kill cn_escape(), introduce cn_esc_printf() Oleg Nesterov
2013-05-15 20:26 ` [PATCH v2 " Oleg Nesterov
2013-05-15 20:12 ` [PATCH 5/6] coredump: kill call_count, add core_name_size Oleg Nesterov
2013-05-24 19:53 ` Andrew Morton
2013-05-27 15:16 ` Oleg Nesterov
2013-05-15 20:12 ` [PATCH 6/6] coredump: '% at the end' shouldn't bypass core_uses_pid logic Oleg Nesterov
2013-05-16 13:28 ` [PATCH 0/6] coredump: format_corename() fixes/cleanups Neil Horman
[not found] ` <20130516154323.GA19060@redhat.com>
2013-05-16 15:43 ` Oleg Nesterov [this message]
2013-05-16 16:16 ` [PATCH 1/1] usermodehelper: check subprocess_info->path != NULL Lucas De Marchi
2013-05-16 17:13 ` Oleg Nesterov
[not found] ` <20130516182624.GA29455@redhat.com>
2013-05-16 18:38 ` [PATCH 7/6] coredump: avoid the uninitialized cn->corename if core_pattern is empty Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130516154355.GB19060@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=lucas.de.marchi@gmail.com \
--cc=mzxreary@0pointer.de \
--cc=nhorman@tuxdriver.com \
--cc=security@kernel.org \
--cc=vda.linux@googlemail.com \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.