From: Oleg Nesterov <oleg@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Eric Paris <eparis@parisplace.org>,
Steven Rostedt <rostedt@goodmis.org>,
LKML <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
David Smith <dsmith@redhat.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Igor Zhbanov <i.zhbanov@samsung.com>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [RFC][PATCH] exec: Fix use after free of tracepoint trace_sched_process_exec
Date: Wed, 5 Feb 2014 14:52:03 +0100 [thread overview]
Message-ID: <20140205135203.GA16229@redhat.com> (raw)
In-Reply-To: <CA+55aFy23NFG6Vw_FRXSALcCeOXF=48iS4s2rDc_0dAONbOETw@mail.gmail.com>
On 02/04, Linus Torvalds wrote:
>
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -239,7 +239,7 @@ static int ____call_usermodehelper(void *data)
>
> commit_creds(new);
>
> - retval = do_execve(sub_info->path,
> + retval = do_execve(getname_kernel(sub_info->path),
> (const char __user *const __user *)sub_info->argv,
> (const char __user *const __user *)sub_info->envp);
Great, this naturally duplicates filename unconditionally, and we can
kill bprm->tcomm[].
But,
> --- a/include/linux/binfmts.h
> +++ b/include/linux/binfmts.h
> @@ -37,7 +37,7 @@ struct linux_binprm {
> int unsafe; /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
> unsigned int per_clear; /* bits to clear in current->personality */
> int argc, envc;
> - const char * filename; /* Name of binary as seen by procps */
> + struct filename *filename; /* Name of binary as seen by procps */
Do we really need this change? If not (afaics), the patch can be
much simpler, see below...
> -void free_bprm(struct linux_binprm *bprm)
> +static void free_bprm(struct linux_binprm *bprm)
> {
> free_arg_pages(bprm);
> if (bprm->cred) {
> @@ -1174,15 +1179,17 @@ void free_bprm(struct linux_binprm *bprm)
> fput(bprm->file);
> }
> /* If a binfmt changed the interp, free it. */
> - if (bprm->interp != bprm->filename)
> + if (bprm->interp != bprm->filename->name)
> kfree(bprm->interp);
> + if (bprm->filename)
> + putname(bprm->filename);
Even if we actually need to turn bprm->filename into "struct filename"
this free_bprm()->putname() only complicates the code, unless I missed
something. The caller, do_execve(), can do putname() unconditionally and
avoid if/NULL games.
IOW, doesn't the change below (on top of your patch) obviously makes
sense or I am totally confused?
Oleg.
--- x/fs/exec.c
+++ x/fs/exec.c
@@ -1183,8 +1183,6 @@ static void free_bprm(struct linux_binpr
/* If a binfmt changed the interp, free it. */
if (bprm->interp != bprm->filename->name)
kfree(bprm->interp);
- if (bprm->filename)
- putname(bprm->filename);
kfree(bprm);
}
@@ -1478,9 +1476,6 @@ static int do_execve_common(struct filen
if (!bprm)
goto out_files;
- bprm->filename = filename;
- bprm->interp = filename->name;
-
retval = prepare_bprm_creds(bprm);
if (retval)
goto out_free;
@@ -1496,6 +1491,8 @@ static int do_execve_common(struct filen
sched_exec();
bprm->file = file;
+ bprm->filename = filename;
+ bprm->interp = filename->name;
retval = bprm_mm_init(bprm);
if (retval)
@@ -1538,7 +1535,7 @@ static int do_execve_common(struct filen
free_bprm(bprm);
if (displaced)
put_files_struct(displaced);
- return retval;
+ goto out_ret;
out:
if (bprm->mm) {
@@ -1552,14 +1549,12 @@ out_unmark:
out_free:
free_bprm(bprm);
- filename = NULL;
out_files:
if (displaced)
reset_files_struct(displaced);
out_ret:
- if (filename)
- putname(filename);
+ putname(filename);
return retval;
}
next prev parent reply other threads:[~2014-02-05 13:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 17:05 [RFC][PATCH] exec: Fix use after free of tracepoint trace_sched_process_exec Steven Rostedt
2014-02-04 19:00 ` Oleg Nesterov
2014-02-04 20:10 ` Steven Rostedt
2014-02-04 20:18 ` Linus Torvalds
2014-02-04 20:31 ` Steven Rostedt
2014-02-04 23:28 ` Steven Rostedt
2014-02-04 23:42 ` Steven Rostedt
2014-02-05 0:57 ` Linus Torvalds
2014-02-05 1:10 ` Al Viro
2014-02-05 3:37 ` Linus Torvalds
2014-02-05 13:52 ` Oleg Nesterov [this message]
2014-02-05 16:52 ` Linus Torvalds
2014-02-05 2:31 ` Steven Rostedt
2014-02-05 2:51 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140205135203.GA16229@redhat.com \
--to=oleg@redhat.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=dsmith@redhat.com \
--cc=eparis@parisplace.org \
--cc=hch@infradead.org \
--cc=i.zhbanov@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.