From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Oleg Nesterov <oleg@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 34/48] kernel/kmod.c: check for NULL in call_usermodehelper_exec()
Date: Fri, 11 Oct 2013 12:36:41 -0700 [thread overview]
Message-ID: <20131011193640.934535503@linuxfoundation.org> (raw)
In-Reply-To: <20131011193637.253208688@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream.
If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer
dereference happens upon core dump because argv_split("") returns
argv[0] == NULL.
This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check
subprocess_info->path != NULL") but was by error reintroduced by commit
7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check").
This bug seems to exist since 2.6.19 (the version which core dump to
pipe was added). Depending on kernel version and config, some side
effect might happen immediately after this oops (e.g. kernel panic with
2.6.32-358.18.1.el6).
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kmod.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -540,6 +540,10 @@ int call_usermodehelper_exec(struct subp
DECLARE_COMPLETION_ONSTACK(done);
int retval = 0;
+ if (!sub_info->path) {
+ call_usermodehelper_freeinfo(sub_info);
+ return -EINVAL;
+ }
helper_lock();
if (!sub_info->path) {
retval = -EINVAL;
next prev parent reply other threads:[~2013-10-11 19:36 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 19:36 [ 00/48] 3.4.66-stable review Greg Kroah-Hartman
2013-10-11 19:36 ` [ 01/48] cpqarray: fix info leak in ida_locked_ioctl() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 02/48] cciss: fix info leak in cciss_ioctl32_passthru() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 03/48] gianfar: Change default HW Tx queue scheduling mode Greg Kroah-Hartman
2013-10-11 19:36 ` [ 04/48] caif: Add missing braces to multiline if in cfctrl_linkup_request Greg Kroah-Hartman
2013-10-11 19:36 ` [ 05/48] net: sctp: fix smatch warning in sctp_send_asconf_del_ip Greg Kroah-Hartman
2013-10-11 19:36 ` [ 06/48] net: flow_dissector: fix thoff for IPPROTO_AH Greg Kroah-Hartman
2013-10-11 19:36 ` [ 07/48] netpoll: fix NULL pointer dereference in netpoll_cleanup Greg Kroah-Hartman
2013-10-11 19:36 ` [ 08/48] net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Greg Kroah-Hartman
2013-10-11 19:36 ` [ 09/48] resubmit bridge: fix message_age_timer calculation Greg Kroah-Hartman
2013-10-11 19:36 ` [ 10/48] bridge: Clamp forward_delay when enabling STP Greg Kroah-Hartman
2013-10-11 19:36 ` [ 11/48] ip: use ip_hdr() in __ip_make_skb() to retrieve IP header Greg Kroah-Hartman
2013-10-11 19:36 ` [ 12/48] ip: generate unique IP identificator if local fragmentation is allowed Greg Kroah-Hartman
2013-10-11 19:36 ` [ 13/48] ipv6: udp packets following an UFO enqueued packet need also be handled by UFO Greg Kroah-Hartman
2013-10-11 19:36 ` [ 14/48] via-rhine: fix VLAN priority field (PCP, IEEE 802.1p) Greg Kroah-Hartman
2013-10-11 19:36 ` [ 15/48] dm9601: fix IFF_ALLMULTI handling Greg Kroah-Hartman
2013-10-11 19:36 ` [ 16/48] bonding: Fix broken promiscuity reference counting issue Greg Kroah-Hartman
2013-10-11 19:36 ` [ 17/48] ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put Greg Kroah-Hartman
2013-10-11 19:36 ` [ 18/48] ipv6 mcast: use in6_dev_put in timer handlers instead of __in6_dev_put Greg Kroah-Hartman
2013-10-11 19:36 ` [ 19/48] ll_temac: Reset dma descriptors indexes on ndo_open Greg Kroah-Hartman
2013-10-11 19:36 ` [ 20/48] ASoC: max98095: a couple array underflows Greg Kroah-Hartman
2013-10-11 19:36 ` [ 21/48] ASoC: 88pm860x: array overflow in snd_soc_put_volsw_2r_st() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 22/48] powerpc/iommu: Use GFP_KERNEL instead of GFP_ATOMIC in iommu_init_table() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 23/48] powerpc/vio: Fix modalias_show return values Greg Kroah-Hartman
2013-10-11 19:36 ` [ 24/48] powerpc: Fix parameter clobber in csum_partial_copy_generic() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 25/48] powerpc: Restore registers on error exit from csum_partial_copy_generic() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 26/48] Bluetooth: Fix security level for peripheral role Greg Kroah-Hartman
2013-10-11 19:36 ` [ 27/48] Bluetooth: Fix encryption key size " Greg Kroah-Hartman
2013-10-11 19:36 ` [ 28/48] esp_scsi: Fix tag state corruption when autosensing Greg Kroah-Hartman
2013-10-11 19:36 ` [ 29/48] sparc64: Fix ITLB handler of null page Greg Kroah-Hartman
2013-10-11 19:36 ` [ 30/48] sparc64: Remove RWSEM export leftovers Greg Kroah-Hartman
2013-10-11 19:36 ` [ 31/48] sparc64: Fix off by one in trampoline TLB mapping installation loop Greg Kroah-Hartman
2013-10-11 19:36 ` [ 32/48] sparc64: Fix not SRAed %o5 in 32-bit traced syscall Greg Kroah-Hartman
2013-10-11 19:36 ` [ 33/48] sparc32: Fix exit flag passed from traced sys_sigreturn Greg Kroah-Hartman
2013-10-11 19:36 ` Greg Kroah-Hartman [this message]
2013-10-11 22:36 ` [ 34/48] kernel/kmod.c: check for NULL in call_usermodehelper_exec() Tetsuo Handa
2013-10-13 21:50 ` Greg KH
2013-10-11 19:36 ` [ 35/48] USB: serial: option: Ignore card reader interface on Huawei E1750 Greg Kroah-Hartman
2013-10-11 19:36 ` [ 36/48] ib_srpt: Destroy cm_id before destroying QP Greg Kroah-Hartman
2013-10-11 19:36 ` [ 37/48] ib_srpt: always set response for task management Greg Kroah-Hartman
2013-10-11 19:36 ` [ 38/48] rtlwifi: Align private space in rtl_priv struct Greg Kroah-Hartman
2013-10-11 19:36 ` [ 39/48] p54usb: add USB ID for Corega WLUSB2GTST USB adapter Greg Kroah-Hartman
2013-10-11 19:36 ` [ 40/48] dmaengine: imx-dma: fix lockdep issue between irqhandler and tasklet Greg Kroah-Hartman
2013-10-11 19:36 ` [ 41/48] dmaengine: imx-dma: fix callback path in tasklet Greg Kroah-Hartman
2013-10-11 19:36 ` [ 42/48] dmaengine: imx-dma: fix slow path issue in prep_dma_cyclic Greg Kroah-Hartman
2013-10-11 19:36 ` [ 43/48] staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice Greg Kroah-Hartman
2013-10-11 19:36 ` [ 44/48] mm, show_mem: suppress page counts in non-blockable contexts Greg Kroah-Hartman
2013-10-11 19:36 ` [ 45/48] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() Greg Kroah-Hartman
2013-10-11 19:36 ` [ 46/48] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Greg Kroah-Hartman
2013-10-11 19:36 ` [ 47/48] Btrfs: change how we queue blocks for backref checking Greg Kroah-Hartman
2013-10-11 19:36 ` [ 48/48] ext4: avoid hang when mounting non-journal filesystems with orphan list Greg Kroah-Hartman
2013-10-11 21:56 ` [ 00/48] 3.4.66-stable review Guenter Roeck
2013-10-11 22:12 ` Greg Kroah-Hartman
2013-10-12 0:50 ` Guenter Roeck
2013-10-13 16:04 ` Greg Kroah-Hartman
2013-10-17 13:16 ` Ben Hutchings
2013-10-11 22:15 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131011193640.934535503@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).