[PATCH][1/2] - catch ignored copy_*_user() - fs/binfmt_elf.c

[PATCH][1/2] - catch ignored copy_*_user() - fs/binfmt_elf.c

[Jeremy Huddleston]

[-- Attachment #1.1: Type: text/plain, Size: 73 bytes --]

Here are a couple patches to cleanup some uncaught copy_*_user() calls.

[-- Attachment #1.2: dontignore-fs-binfmt_elf.patch --]
[-- Type: text/x-patch, Size: 2402 bytes --]

Catch and handle some previously ignored copy_*_user() calls

Signed-off-by: Jeremy Huddleston <eradicator@gentoo.org>

diff -Naurp linux-2.6.10-rc3-bk8/fs/binfmt_elf.c linux-2.6.10-rc3-bk8.edit/fs/binfmt_elf.c
--- linux-2.6.10-rc3-bk8/fs/binfmt_elf.c	2004-12-15 00:15:45.000000000 -0800
+++ linux-2.6.10-rc3-bk8.edit/fs/binfmt_elf.c	2004-12-15 12:58:41.000000000 -0800
@@ -103,15 +103,18 @@ static int set_brk(unsigned long start, 
    be in memory */
 
 
-static void padzero(unsigned long elf_bss)
+static int padzero(unsigned long elf_bss)
 {
 	unsigned long nbyte;
 
 	nbyte = ELF_PAGEOFFSET(elf_bss);
 	if (nbyte) {
 		nbyte = ELF_MIN_ALIGN - nbyte;
-		clear_user((void __user *) elf_bss, nbyte);
+		if(clear_user((void __user *) elf_bss, nbyte))
+			return -EFAULT;
 	}
+
+	return 0;
 }
 
 /* Let's use some macros to make this stack manipulation a litle clearer */
@@ -403,7 +406,10 @@ static unsigned long load_elf_interp(str
 	 * that there are zero-mapped pages up to and including the 
 	 * last bss page.
 	 */
-	padzero(elf_bss);
+	error = padzero(elf_bss);
+	if(error)
+		goto out_close;
+
 	elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);	/* What we have mapped so far */
 
 	/* Map the last of the bss segment */
@@ -773,7 +779,11 @@ static int load_elf_binary(struct linux_
 				nbyte = ELF_MIN_ALIGN - nbyte;
 				if (nbyte > elf_brk - elf_bss)
 					nbyte = elf_brk - elf_bss;
-				clear_user((void __user *) elf_bss + load_bias, nbyte);
+				retval = clear_user((void __user *) elf_bss + load_bias, nbyte);
+				if (retval) {
+					send_sig(SIGKILL, current, 0);
+					goto out_free_dentry;
+				}
 			}
 		}
 
@@ -857,7 +867,11 @@ static int load_elf_binary(struct linux_
 		send_sig(SIGKILL, current, 0);
 		goto out_free_dentry;
 	}
-	padzero(elf_bss);
+	retval = padzero(elf_bss);
+	if(retval) {
+		send_sig(SIGKILL, current, 0);
+		goto out_free_dentry;
+	}
 
 	if (elf_interpreter) {
 		if (interpreter_type == INTERPRETER_AOUT)
@@ -1020,7 +1034,9 @@ static int load_elf_library(struct file 
 		goto out_free_ph;
 
 	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
-	padzero(elf_bss);
+	error = padzero(elf_bss);
+	if(error)
+		goto out_free_ph;
 
 	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
 	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH][1/2] - catch ignored copy_*_user() - fs/binfmt_elf.c

[Jesper Juhl]

Jeremy Huddleston wrote:
> Here are a couple patches to cleanup some uncaught copy_*_user() calls.
> 
> 
> 
> Catch and handle some previously ignored copy_*_user() calls
> 
This is more or less identical to the patch I've posted a few times 
(last time under the subject '[PATCH] binfmt_elf; do proper error 
handling if clear_user fails in padzero') and it looks sane to me.
Last time I heard anything about this Andrew said he had that patch (and 
a few related) on his todo list.

Anyway, I'll sign off on this one.

> Signed-off-by: Jeremy Huddleston <eradicator@gentoo.org>
> 
Signed-off-by: Jesper Juhl <juhl-lkml@dif.dk>