From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Arnd Bergmann <arnd@arndb.de>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Russell King <linux@armlinux.org.uk>,
Greg Ungerer <gerg@linux-m68k.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.14 18/43] fs/binfmt_flat.c: make load_flat_shared_library() work
Date: Tue, 2 Jul 2019 10:01:58 +0200 [thread overview]
Message-ID: <20190702080124.740115176@linuxfoundation.org> (raw)
In-Reply-To: <20190702080123.904399496@linuxfoundation.org>
From: Jann Horn <jannh@google.com>
commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream.
load_flat_shared_library() is broken: It only calls load_flat_file() if
prepare_binprm() returns zero, but prepare_binprm() returns the number of
bytes read - so this only happens if the file is empty.
Instead, call into load_flat_file() if the number of bytes read is
non-negative. (Even if the number of bytes is zero - in that case,
load_flat_file() will see nullbytes and return a nice -ENOEXEC.)
In addition, remove the code related to bprm creds and stop using
prepare_binprm() - this code is loading a library, not a main executable,
and it only actually uses the members "buf", "file" and "filename" of the
linux_binprm struct. Instead, call kernel_read() directly.
Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com
Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Kees Cook <keescook@chromium.org>
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Greg Ungerer <gerg@linux-m68k.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_flat.c | 23 +++++++----------------
1 file changed, 7 insertions(+), 16 deletions(-)
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -856,9 +856,14 @@ err:
static int load_flat_shared_library(int id, struct lib_info *libs)
{
+ /*
+ * This is a fake bprm struct; only the members "buf", "file" and
+ * "filename" are actually used.
+ */
struct linux_binprm bprm;
int res;
char buf[16];
+ loff_t pos = 0;
memset(&bprm, 0, sizeof(bprm));
@@ -872,25 +877,11 @@ static int load_flat_shared_library(int
if (IS_ERR(bprm.file))
return res;
- bprm.cred = prepare_exec_creds();
- res = -ENOMEM;
- if (!bprm.cred)
- goto out;
-
- /* We don't really care about recalculating credentials at this point
- * as we're past the point of no return and are dealing with shared
- * libraries.
- */
- bprm.called_set_creds = 1;
-
- res = prepare_binprm(&bprm);
+ res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos);
- if (!res)
+ if (res >= 0)
res = load_flat_file(&bprm, libs, id, NULL);
- abort_creds(bprm.cred);
-
-out:
allow_write_access(bprm.file);
fput(bprm.file);
next prev parent reply other threads:[~2019-07-02 8:12 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-02 8:01 [PATCH 4.14 00/43] 4.14.132-stable review Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 01/43] perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 02/43] perf help: Remove needless use of strncpy() Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 03/43] perf header: Fix unchecked usage " Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 04/43] Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP" Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 05/43] IB/hfi1: Close PSM sdma_progress sleep window Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 06/43] block: add a lower-level bio_add_page interface Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 07/43] block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 08/43] 9p/xen: fix check for xenbus_read error in front_probe Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 09/43] 9p/rdma: do not disconnect on down_interruptible EAGAIN Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 10/43] 9p: acl: fix uninitialized iattr access Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 11/43] 9p/rdma: remove useless check in cm_event_handler Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 12/43] 9p: p9dirent_read: check network-provided name length Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 13/43] net/9p: include trans_common.h to fix missing prototype warning Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 14/43] qmi_wwan: Fix out-of-bounds read Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 15/43] Revert "compiler.h: update definition of unreachable()" Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 16/43] fs/proc/array.c: allow reporting eip/esp for all coredumping threads Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 17/43] mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask Greg Kroah-Hartman
2019-07-02 8:01 ` Greg Kroah-Hartman [this message]
2019-07-02 8:01 ` [PATCH 4.14 19/43] mm/page_idle.c: fix oops because end_pfn is larger than max_pfn Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 20/43] dm log writes: make sure super sector log updates are written in order Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 21/43] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 22/43] x86/speculation: Allow guests to use SSBD even if host does not Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 23/43] x86/microcode: Fix the microcode load on CPU hotplug for real Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 24/43] NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 25/43] cpu/speculation: Warn on unsupported mitigations= parameter Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 26/43] eeprom: at24: fix unexpected timeout under high load Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 27/43] af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 28/43] ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 29/43] net/packet: fix memory leak in packet_set_ring() Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 30/43] net: remove duplicate fetch in sock_getsockopt Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 31/43] net: stmmac: fixed new system time seconds value calculation Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 32/43] sctp: change to hold sk after auth shkey is created successfully Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 33/43] tipc: change to use register_pernet_device Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 34/43] tipc: check msg->req data len in tipc_nl_compat_bearer_disable Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 35/43] tun: wake up waitqueues after IFF_UP is set Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 36/43] team: Always enable vlan tx offload Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 37/43] bonding: " Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 38/43] bpf: udp: Avoid calling reuseports bpf_prog from udp_gro Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 39/43] bpf: udp: ipv6: Avoid running reuseports bpf_prog from __udp6_lib_err Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 40/43] arm64: futex: Avoid copying out uninitialised stack in failed cmpxchg() Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 41/43] bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 42/43] futex: Update comments and docs about return values of arch futex code Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 43/43] tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb Greg Kroah-Hartman
2019-08-01 10:17 ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-08-02 7:28 ` gregkh
2019-08-02 11:03 ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-08-02 11:34 ` gregkh
2019-08-03 0:45 ` Xin Long
2019-08-03 7:11 ` gregkh
2019-07-02 12:12 ` [PATCH 4.14 00/43] 4.14.132-stable review kernelci.org bot
2019-07-02 15:43 ` Naresh Kamboju
2019-07-02 20:22 ` Guenter Roeck
2019-07-02 21:10 ` Kelsey Skunberg
2019-07-02 22:51 ` shuah
2019-07-03 10:20 ` Jon Hunter
2019-07-04 5:26 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190702080124.740115176@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=geert@linux-m68k.org \
--cc=gerg@linux-m68k.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=nicolas.pitre@linaro.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).