From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Arnd Bergmann <arnd@arndb.de>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Russell King <linux@armlinux.org.uk>,
Greg Ungerer <gerg@linux-m68k.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 01/73] fs/binfmt_flat.c: make load_flat_shared_library() work
Date: Mon, 8 Jul 2019 17:12:11 +0200 [thread overview]
Message-ID: <20190708150516.969813037@linuxfoundation.org> (raw)
In-Reply-To: <20190708150513.136580595@linuxfoundation.org>
From: Jann Horn <jannh@google.com>
commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream.
load_flat_shared_library() is broken: It only calls load_flat_file() if
prepare_binprm() returns zero, but prepare_binprm() returns the number of
bytes read - so this only happens if the file is empty.
Instead, call into load_flat_file() if the number of bytes read is
non-negative. (Even if the number of bytes is zero - in that case,
load_flat_file() will see nullbytes and return a nice -ENOEXEC.)
In addition, remove the code related to bprm creds and stop using
prepare_binprm() - this code is loading a library, not a main executable,
and it only actually uses the members "buf", "file" and "filename" of the
linux_binprm struct. Instead, call kernel_read() directly.
Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com
Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Kees Cook <keescook@chromium.org>
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Greg Ungerer <gerg@linux-m68k.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_flat.c | 24 +++++++-----------------
1 file changed, 7 insertions(+), 17 deletions(-)
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -808,9 +808,14 @@ err:
static int load_flat_shared_library(int id, struct lib_info *libs)
{
+ /*
+ * This is a fake bprm struct; only the members "buf", "file" and
+ * "filename" are actually used.
+ */
struct linux_binprm bprm;
int res;
char buf[16];
+ loff_t pos = 0;
memset(&bprm, 0, sizeof(bprm));
@@ -824,25 +829,10 @@ static int load_flat_shared_library(int
if (IS_ERR(bprm.file))
return res;
- bprm.cred = prepare_exec_creds();
- res = -ENOMEM;
- if (!bprm.cred)
- goto out;
-
- /* We don't really care about recalculating credentials at this point
- * as we're past the point of no return and are dealing with shared
- * libraries.
- */
- bprm.cred_prepared = 1;
-
- res = prepare_binprm(&bprm);
-
- if (!IS_ERR_VALUE(res))
+ res = kernel_read(bprm.file, pos, bprm.buf, BINPRM_BUF_SIZE);
+ if (res >= 0)
res = load_flat_file(&bprm, libs, id, NULL);
- abort_creds(bprm.cred);
-
-out:
allow_write_access(bprm.file);
fput(bprm.file);
next prev parent reply other threads:[~2019-07-08 15:14 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-08 15:12 [PATCH 4.4 00/73] 4.4.185-stable review Greg Kroah-Hartman
2019-07-08 15:12 ` Greg Kroah-Hartman [this message]
2019-07-08 15:12 ` [PATCH 4.4 02/73] mm/page_idle.c: fix oops because end_pfn is larger than max_pfn Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 03/73] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 04/73] tracing: Silence GCC 9 array bounds warning Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 05/73] gcc-9: silence address-of-packed-member warning Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 06/73] usb: chipidea: udc: workaround for endpoint conflict issue Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 07/73] Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 08/73] apparmor: enforce nullbyte at end of tag string Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 09/73] parport: Fix mem leak in parport_register_dev_model Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 10/73] parisc: Fix compiler warnings in float emulation code Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 11/73] IB/hfi1: Insure freeze_work work_struct is canceled on shutdown Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 12/73] MIPS: uprobes: remove set but not used variable epc Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 13/73] net: hns: Fix loopback test failed at copper ports Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 14/73] sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 15/73] scripts/checkstack.pl: Fix arm64 wrong or unknown architecture Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 16/73] scsi: ufs: Check that space was properly alloced in copy_query_response Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 17/73] s390/qeth: fix VLAN attribute in bridge_hostnotify udev event Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 18/73] hwmon: (pmbus/core) Treat parameters as paged if on multiple pages Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 19/73] Btrfs: fix race between readahead and device replace/removal Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 20/73] btrfs: start readahead also in seed devices Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 21/73] can: flexcan: fix timeout when set small bitrate Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 22/73] can: purge socket error queue on sock destruct Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 23/73] ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 24/73] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 25/73] Bluetooth: Fix regression with minimum encryption key size alignment Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 26/73] SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 27/73] cfg80211: fix memory leak of wiphy device name Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 28/73] mac80211: drop robust management frames from unknown TA Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 29/73] perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 30/73] perf help: Remove needless use of strncpy() Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 31/73] 9p/rdma: do not disconnect on down_interruptible EAGAIN Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 32/73] 9p: acl: fix uninitialized iattr access Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 33/73] 9p/rdma: remove useless check in cm_event_handler Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 34/73] 9p: p9dirent_read: check network-provided name length Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 35/73] net/9p: include trans_common.h to fix missing prototype warning Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 36/73] KVM: X86: Fix scan ioapic use-before-initialization Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 37/73] ovl: modify ovl_permission() to do checks on two inodes Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 38/73] x86/speculation: Allow guests to use SSBD even if host does not Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 39/73] cpu/speculation: Warn on unsupported mitigations= parameter Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 40/73] sctp: change to hold sk after auth shkey is created successfully Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 41/73] tipc: change to use register_pernet_device Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 42/73] tipc: check msg->req data len in tipc_nl_compat_bearer_disable Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 43/73] team: Always enable vlan tx offload Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 44/73] ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 45/73] bonding: Always enable vlan tx offload Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 46/73] net: check before dereferencing netdev_ops during busy poll Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 47/73] Bluetooth: Fix faulty expression for minimum encryption key size check Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 48/73] um: Compile with modern headers Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.4 49/73] ASoC : cs4265 : readable register too low Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 50/73] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 51/73] ASoC: max98090: remove 24-bit format support if RJ is 0 Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 52/73] usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 53/73] usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 54/73] scsi: hpsa: correct ioaccel2 chaining Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 55/73] ARC: Assume multiplier is always present Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 56/73] ARC: fix build warning in elf.h Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 57/73] MIPS: math-emu: do not use bools for arithmetic Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 58/73] mfd: omap-usb-tll: Fix register offsets Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 59/73] swiotlb: Make linux/swiotlb.h standalone includible Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 60/73] bug.h: work around GCC PR82365 in BUG() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 61/73] MIPS: Workaround GCC __builtin_unreachable reordering bug Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 62/73] ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 63/73] crypto: user - prevent operating on larval algorithms Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 64/73] ALSA: seq: fix incorrect order of dest_client/dest_ports arguments Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 65/73] ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 66/73] ALSA: usb-audio: fix sign unintended sign extension on left shifts Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 67/73] lib/mpi: Fix karactx leak in mpi_powm Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 68/73] btrfs: Ensure replaced device doesnt have pending chunk allocation Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 69/73] tty: rocket: fix incorrect forward declaration of rp_init() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 70/73] ARC: handle gcc generated __builtin_trap for older compiler Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 71/73] arm64, vdso: Define vdso_{start,end} as array Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 72/73] KVM: x86: degrade WARN to pr_warn_ratelimited Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.4 73/73] dmaengine: imx-sdma: remove BD_INTR for channel0 Greg Kroah-Hartman
2019-07-08 19:12 ` [PATCH 4.4 00/73] 4.4.185-stable review kernelci.org bot
2019-07-09 2:37 ` shuah
2019-07-09 6:05 ` Naresh Kamboju
2019-07-09 18:40 ` Guenter Roeck
2019-07-10 6:10 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190708150516.969813037@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=geert@linux-m68k.org \
--cc=gerg@linux-m68k.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=nicolas.pitre@linaro.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).