[PATCH] binfmt_elf_fdpic: fix clear

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] binfmt_elf_fdpic: fix clear_user() error handling
@ 2010-05-28  7:56 Takuya Yoshikawa
  2010-05-28 17:38 ` Mike Frysinger
  0 siblings, 1 reply; 6+ messages in thread
From: Takuya Yoshikawa @ 2010-05-28  7:56 UTC (permalink / raw)
  To: akpm, viro
  Cc: d.hatayama, dhowells, vapier, lethal, takuya.yoshikawa,
	linux-fsdevel, linux-kernel

Hi, I found some places in bin_elf_fdpic at which clear_user() is
incorrectly handled, by chance, when I was trying to check how to
use clear_user().

IIUC, the following commit was not correct.

  commit ab4ad55512e95b68ca3e25516068e18874f89252
  bin_elf_fdpic: check the return value of clear_user

Although I don't have an appropriate test box for this, I wrote a
simple patch to fix this. So if this is worth fixing, please pick
this up.

Thanks,
  Takuya

===
clear_user() returns the number of bytes, unsigned long, that could not
be copied. So we should return -EFAULT rather than directly return the results.

Without this patch, positive values may be passed to elf_fdpic_map_file() and
the following error handlings do not function as expected.

1.
	ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
	if (ret < 0)
		return ret;
2.
	ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
	if (ret < 0)
		return ret;

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
CC: Alexander Viro <viro@zeniv.linux.org.uk>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Daisuke HATAYAMA <d.hatayama@jp.fujitsu.com>
CC: David Howells <dhowells@redhat.com>
CC: Mike Frysinger <vapier@gentoo.org>
CC: Paul Mundt <lethal@linux-sh.org>
---
 fs/binfmt_elf_fdpic.c |   26 +++++++++++---------------
 1 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 2c5f9a0..63039ed 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -990,10 +990,9 @@ static int elf_fdpic_map_file_constdisp_on_uclinux(
 
 		/* clear any space allocated but not loaded */
 		if (phdr->p_filesz < phdr->p_memsz) {
-			ret = clear_user((void *) (seg->addr + phdr->p_filesz),
-					 phdr->p_memsz - phdr->p_filesz);
-			if (ret)
-				return ret;
+			if (clear_user((void *) (seg->addr + phdr->p_filesz),
+				       phdr->p_memsz - phdr->p_filesz))
+				return -EFAULT;
 		}
 
 		if (mm) {
@@ -1027,7 +1026,7 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
 	struct elf32_fdpic_loadseg *seg;
 	struct elf32_phdr *phdr;
 	unsigned long load_addr, delta_vaddr;
-	int loop, dvset, ret;
+	int loop, dvset;
 
 	load_addr = params->load_addr;
 	delta_vaddr = 0;
@@ -1127,9 +1126,8 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
 		 * PT_LOAD */
 		if (prot & PROT_WRITE && disp > 0) {
 			kdebug("clear[%d] ad=%lx sz=%lx", loop, maddr, disp);
-			ret = clear_user((void __user *) maddr, disp);
-			if (ret)
-				return ret;
+			if (clear_user((void __user *) maddr, disp))
+				return -EFAULT;
 			maddr += disp;
 		}
 
@@ -1164,19 +1162,17 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
 		if (prot & PROT_WRITE && excess1 > 0) {
 			kdebug("clear[%d] ad=%lx sz=%lx",
 			       loop, maddr + phdr->p_filesz, excess1);
-			ret = clear_user((void __user *) maddr + phdr->p_filesz,
-					 excess1);
-			if (ret)
-				return ret;
+			if (clear_user((void __user *) maddr + phdr->p_filesz,
+				       excess1))
+				return -EFAULT;
 		}
 
 #else
 		if (excess > 0) {
 			kdebug("clear[%d] ad=%lx sz=%lx",
 			       loop, maddr + phdr->p_filesz, excess);
-			ret = clear_user((void *) maddr + phdr->p_filesz, excess);
-			if (ret)
-				return ret;
+			if (clear_user((void *) maddr + phdr->p_filesz, excess))
+				return -EFAULT;
 		}
 #endif
 
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] binfmt_elf_fdpic: fix clear_user() error handling
  2010-05-28  7:56 [PATCH] binfmt_elf_fdpic: fix clear_user() error handling Takuya Yoshikawa
@ 2010-05-28 17:38 ` Mike Frysinger
  2010-06-01 12:29   ` David Howells
  0 siblings, 1 reply; 6+ messages in thread
From: Mike Frysinger @ 2010-05-28 17:38 UTC (permalink / raw)
  To: Takuya Yoshikawa
  Cc: akpm, viro, d.hatayama, dhowells, lethal, takuya.yoshikawa,
	linux-fsdevel, linux-kernel

On Fri, May 28, 2010 at 03:56, Takuya Yoshikawa wrote:
> Hi, I found some places in bin_elf_fdpic at which clear_user() is
> incorrectly handled, by chance, when I was trying to check how to
> use clear_user().
>
> IIUC, the following commit was not correct.
>
>  commit ab4ad55512e95b68ca3e25516068e18874f89252
>  bin_elf_fdpic: check the return value of clear_user
>
> Although I don't have an appropriate test box for this, I wrote a
> simple patch to fix this. So if this is worth fixing, please pick
> this up.

the intention was that these functions return 0 only on success, and
non-zero otherwise.  along those lines, the patch does what was
intended.  unfortunately, the logic calling these funcs only checks
for negative values.

> clear_user() returns the number of bytes, unsigned long, that could not
> be copied. So we should return -EFAULT rather than directly return the results.
>
> Without this patch, positive values may be passed to elf_fdpic_map_file() and
> the following error handlings do not function as expected.

on nommu systems, this is generally not an issue because clear_user()
is basically a memset().  but it's good to handle every case.

Acked-by: Mike Frysinger <vapier@gentoo.org>
-mike

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] binfmt_elf_fdpic: fix clear_user() error handling
  2010-05-28 17:38 ` Mike Frysinger
@ 2010-06-01 12:29   ` David Howells
  0 siblings, 0 replies; 6+ messages in thread
From: David Howells @ 2010-06-01 12:29 UTC (permalink / raw)
  To: Mike Frysinger
  Cc: dhowells, Takuya Yoshikawa, akpm, viro, d.hatayama, lethal,
	takuya.yoshikawa, linux-fsdevel, linux-kernel

Mike Frysinger <vapier.adi@gmail.com> wrote:

> on nommu systems, this is generally not an issue because clear_user()
> is basically a memset().  but it's good to handle every case.

But FDPIC is used on MMU systems too.

David

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] binfmt_elf_fdpic: Fix clear_user() error handling
@ 2010-06-01 13:10 David Howells
  2010-06-02  2:40 ` Takuya Yoshikawa
  2010-06-02  8:20 ` Paul Mundt
  0 siblings, 2 replies; 6+ messages in thread
From: David Howells @ 2010-06-01 13:10 UTC (permalink / raw)
  To: torvalds, akpm
  Cc: linux-kernel, Takuya Yoshikawa, David Howells, Mike Frysinger,
	Alexander Viro, Andrew Morton, Daisuke HATAYAMA, Paul Mundt

From: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>

clear_user() returns the number of bytes that could not be copied rather than
an error code.  So we should return -EFAULT rather than directly returning the
results.

Without this patch, positive values may be returned to elf_fdpic_map_file()
and the following error handlings do not function as expected.

1.
	ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
	if (ret < 0)
		return ret;
2.
	ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
	if (ret < 0)
		return ret;

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mike Frysinger <vapier@gentoo.org>
CC: Alexander Viro <viro@zeniv.linux.org.uk>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Daisuke HATAYAMA <d.hatayama@jp.fujitsu.com>
CC: Paul Mundt <lethal@linux-sh.org>
---

 fs/binfmt_elf_fdpic.c |   26 +++++++++++---------------
 1 files changed, 11 insertions(+), 15 deletions(-)


diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 2c5f9a0..63039ed 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -990,10 +990,9 @@ static int elf_fdpic_map_file_constdisp_on_uclinux(
 
 		/* clear any space allocated but not loaded */
 		if (phdr->p_filesz < phdr->p_memsz) {
-			ret = clear_user((void *) (seg->addr + phdr->p_filesz),
-					 phdr->p_memsz - phdr->p_filesz);
-			if (ret)
-				return ret;
+			if (clear_user((void *) (seg->addr + phdr->p_filesz),
+				       phdr->p_memsz - phdr->p_filesz))
+				return -EFAULT;
 		}
 
 		if (mm) {
@@ -1027,7 +1026,7 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
 	struct elf32_fdpic_loadseg *seg;
 	struct elf32_phdr *phdr;
 	unsigned long load_addr, delta_vaddr;
-	int loop, dvset, ret;
+	int loop, dvset;
 
 	load_addr = params->load_addr;
 	delta_vaddr = 0;
@@ -1127,9 +1126,8 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
 		 * PT_LOAD */
 		if (prot & PROT_WRITE && disp > 0) {
 			kdebug("clear[%d] ad=%lx sz=%lx", loop, maddr, disp);
-			ret = clear_user((void __user *) maddr, disp);
-			if (ret)
-				return ret;
+			if (clear_user((void __user *) maddr, disp))
+				return -EFAULT;
 			maddr += disp;
 		}
 
@@ -1164,19 +1162,17 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
 		if (prot & PROT_WRITE && excess1 > 0) {
 			kdebug("clear[%d] ad=%lx sz=%lx",
 			       loop, maddr + phdr->p_filesz, excess1);
-			ret = clear_user((void __user *) maddr + phdr->p_filesz,
-					 excess1);
-			if (ret)
-				return ret;
+			if (clear_user((void __user *) maddr + phdr->p_filesz,
+				       excess1))
+				return -EFAULT;
 		}
 
 #else
 		if (excess > 0) {
 			kdebug("clear[%d] ad=%lx sz=%lx",
 			       loop, maddr + phdr->p_filesz, excess);
-			ret = clear_user((void *) maddr + phdr->p_filesz, excess);
-			if (ret)
-				return ret;
+			if (clear_user((void *) maddr + phdr->p_filesz, excess))
+				return -EFAULT;
 		}
 #endif
 


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] binfmt_elf_fdpic: Fix clear_user() error handling
  2010-06-01 13:10 [PATCH] binfmt_elf_fdpic: Fix " David Howells
@ 2010-06-02  2:40 ` Takuya Yoshikawa
  2010-06-02  8:20 ` Paul Mundt
  1 sibling, 0 replies; 6+ messages in thread
From: Takuya Yoshikawa @ 2010-06-02  2:40 UTC (permalink / raw)
  To: David Howells
  Cc: torvalds, akpm, linux-kernel, Mike Frysinger, Alexander Viro,
	Daisuke HATAYAMA, Paul Mundt

David Howells <dhowells@redhat.com> wrote:

> From: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
> 

Thanks for updating, improving, the explanation!

  Takuya


> clear_user() returns the number of bytes that could not be copied rather than
> an error code.  So we should return -EFAULT rather than directly returning the
> results.
> 
> Without this patch, positive values may be returned to elf_fdpic_map_file()
> and the following error handlings do not function as expected.
> 
> 1.
> 	ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
> 	if (ret < 0)
> 		return ret;
> 2.
> 	ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
> 	if (ret < 0)
> 		return ret;
> 
> Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: Mike Frysinger <vapier@gentoo.org>
> CC: Alexander Viro <viro@zeniv.linux.org.uk>
> CC: Andrew Morton <akpm@linux-foundation.org>
> CC: Daisuke HATAYAMA <d.hatayama@jp.fujitsu.com>
> CC: Paul Mundt <lethal@linux-sh.org>
> ---
> 
>  fs/binfmt_elf_fdpic.c |   26 +++++++++++---------------
>  1 files changed, 11 insertions(+), 15 deletions(-)
> 
> 
> diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
> index 2c5f9a0..63039ed 100644
> --- a/fs/binfmt_elf_fdpic.c
> +++ b/fs/binfmt_elf_fdpic.c
> @@ -990,10 +990,9 @@ static int elf_fdpic_map_file_constdisp_on_uclinux(
>  
>  		/* clear any space allocated but not loaded */
>  		if (phdr->p_filesz < phdr->p_memsz) {
> -			ret = clear_user((void *) (seg->addr + phdr->p_filesz),
> -					 phdr->p_memsz - phdr->p_filesz);
> -			if (ret)
> -				return ret;
> +			if (clear_user((void *) (seg->addr + phdr->p_filesz),
> +				       phdr->p_memsz - phdr->p_filesz))
> +				return -EFAULT;
>  		}
>  
>  		if (mm) {
> @@ -1027,7 +1026,7 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
>  	struct elf32_fdpic_loadseg *seg;
>  	struct elf32_phdr *phdr;
>  	unsigned long load_addr, delta_vaddr;
> -	int loop, dvset, ret;
> +	int loop, dvset;
>  
>  	load_addr = params->load_addr;
>  	delta_vaddr = 0;
> @@ -1127,9 +1126,8 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
>  		 * PT_LOAD */
>  		if (prot & PROT_WRITE && disp > 0) {
>  			kdebug("clear[%d] ad=%lx sz=%lx", loop, maddr, disp);
> -			ret = clear_user((void __user *) maddr, disp);
> -			if (ret)
> -				return ret;
> +			if (clear_user((void __user *) maddr, disp))
> +				return -EFAULT;
>  			maddr += disp;
>  		}
>  
> @@ -1164,19 +1162,17 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
>  		if (prot & PROT_WRITE && excess1 > 0) {
>  			kdebug("clear[%d] ad=%lx sz=%lx",
>  			       loop, maddr + phdr->p_filesz, excess1);
> -			ret = clear_user((void __user *) maddr + phdr->p_filesz,
> -					 excess1);
> -			if (ret)
> -				return ret;
> +			if (clear_user((void __user *) maddr + phdr->p_filesz,
> +				       excess1))
> +				return -EFAULT;
>  		}
>  
>  #else
>  		if (excess > 0) {
>  			kdebug("clear[%d] ad=%lx sz=%lx",
>  			       loop, maddr + phdr->p_filesz, excess);
> -			ret = clear_user((void *) maddr + phdr->p_filesz, excess);
> -			if (ret)
> -				return ret;
> +			if (clear_user((void *) maddr + phdr->p_filesz, excess))
> +				return -EFAULT;
>  		}
>  #endif
>  
> 


-- 
Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] binfmt_elf_fdpic: Fix clear_user() error handling
  2010-06-01 13:10 [PATCH] binfmt_elf_fdpic: Fix " David Howells
  2010-06-02  2:40 ` Takuya Yoshikawa
@ 2010-06-02  8:20 ` Paul Mundt
  1 sibling, 0 replies; 6+ messages in thread
From: Paul Mundt @ 2010-06-02  8:20 UTC (permalink / raw)
  To: David Howells
  Cc: torvalds, akpm, linux-kernel, Takuya Yoshikawa, Mike Frysinger,
	Alexander Viro, Daisuke HATAYAMA

On Tue, Jun 01, 2010 at 02:10:47PM +0100, David Howells wrote:
> From: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
> 
> clear_user() returns the number of bytes that could not be copied rather than
> an error code.  So we should return -EFAULT rather than directly returning the
> results.
> 
> Without this patch, positive values may be returned to elf_fdpic_map_file()
> and the following error handlings do not function as expected.
> 
> 1.
> 	ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
> 	if (ret < 0)
> 		return ret;
> 2.
> 	ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
> 	if (ret < 0)
> 		return ret;
> 
> Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: Mike Frysinger <vapier@gentoo.org>
> CC: Alexander Viro <viro@zeniv.linux.org.uk>
> CC: Andrew Morton <akpm@linux-foundation.org>
> CC: Daisuke HATAYAMA <d.hatayama@jp.fujitsu.com>
> CC: Paul Mundt <lethal@linux-sh.org>

Acked-by: Paul Mundt <lethal@linux-sh.org>

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2010-06-02  8:21 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-28  7:56 [PATCH] binfmt_elf_fdpic: fix clear_user() error handling Takuya Yoshikawa
2010-05-28 17:38 ` Mike Frysinger
2010-06-01 12:29   ` David Howells
  -- strict thread matches above, loose matches on Subject: below --
2010-06-01 13:10 [PATCH] binfmt_elf_fdpic: Fix " David Howells
2010-06-02  2:40 ` Takuya Yoshikawa
2010-06-02  8:20 ` Paul Mundt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox