[PATCH] Invalid return value of execve() resulting in oopses

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Pavel Emelianov <xemul@sw.ru>
To: Andrew Morton <akpm@osdl.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: Kirill Korotaev <dev@openvz.org>,
	Alexey Kuznetsov <alexey@openvz.org>,
	devel@openvz.org
Subject: [PATCH] Invalid return value of execve() resulting in oopses
Date: Thu, 03 May 2007 14:16:45 +0400	[thread overview]
Message-ID: <4639B68D.3000700@sw.ru> (raw)

From: Alexey Kuznetsov <alexey@openvz.org>

When elf loader fails to map executable (due to memory shortage or
because binary is malformed), it can return 0. Normally, this is 
invisible because process is killed with SIGKILL and it never returns
to user space.

But if exec() is called from kernel thread (hotplug, whatever)
consequences are more interesting and vary depending on architecture.

i386.   Nothing especially interesting, execve() just returns 
        with "success"  :-)

x86_64. Fake zero frame is used on way to caller, RSP/RIP are loaded
        with zeros, ergo... double fault.

ia64.   Similar to i386, but r32...r95 are corrupted. Sometimes it 
        oopses due to return to zero PC, sometimes it sees NaT in 
        rXX and oopses due to NaT consumption.

Signed-off-by: Alexey Kuznetsov <alexey@openvz.org>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Pavel Emelianov <xemul@openvz.org>

---

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 67d9b31..fa8ea33 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -871,6 +871,8 @@ static int load_elf_binary(struct linux_
 				elf_prot, elf_flags);
 		if (BAD_ADDR(error)) {
 			send_sig(SIGKILL, current, 0);
+			retval = IS_ERR((void *)error) ?
+				PTR_ERR((void*)error) : -EINVAL;
 			goto out_free_dentry;
 		}
 
@@ -900,6 +902,7 @@ static int load_elf_binary(struct linux_
 		    TASK_SIZE - elf_ppnt->p_memsz < k) {
 			/* set_brk can never work. Avoid overflows. */
 			send_sig(SIGKILL, current, 0);
+			retval = -EINVAL;
 			goto out_free_dentry;
 		}

                 reply	other threads:[~2007-05-03 10:12 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:67d9b31 dfblob:fa8ea33 )
 OR (
bs:"[PATCH] Invalid return value of execve() resulting in oopses" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4639B68D.3000700@sw.ru \
    --to=xemul@sw.ru \
    --cc=akpm@osdl.org \
    --cc=alexey@openvz.org \
    --cc=dev@openvz.org \
    --cc=devel@openvz.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox