[RFC PATCH 1/2] binfmt_elf: Fix corner case kfree of uninitialized data

[RFC PATCH 1/2] binfmt_elf: Fix corner case kfree of uninitialized data

[Alan Cox]

Could do with double checking...

From: Alan Cox <alan@linux.intel.com>

If elf_core_dump is called and fill_note_info fails in the kmalloc then
it returns 0 but has not yet initialised all the needed fields. As a result
we do a kfree(randomness) after correctly skipping the thread data.

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 fs/binfmt_elf.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 1b4efbc..bf6d82b 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1492,8 +1492,10 @@ static int fill_note_info(struct elfhdr *elf, int phdrs,
 	info->thread = NULL;
 
 	psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
-	if (psinfo == NULL)
+	if (psinfo == NULL) {
+		info->psinfo.data = NULL;	/* So we don't free this wrongly */
 		return 0;
+        }
 
 	fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
 

[RFC PATCH 2/2] binfmt_elf: Uninitialized variable

[Alan Cox]

From: Alan Cox <alan@linux.intel.com>

load_elf_interp has interp_map_addr carefully described as
"uninitialized_var" and marked so as to avoid a warning. However
if you trace the code it is passed into load_elf_interp and then
this value is checked against NULL.

As this return value isn't used this is actually safe but it freaks
various analysis tools that see un-initialized memory addresses
being read before their value is ever defined.

Set it to NULL as a matter of programming good taste if nothing else

Signed-off-by: Alan Cox <alan@linux.intel.com>
---

 fs/binfmt_elf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index bf6d82b..5fb4801 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -880,7 +880,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
 	}
 
 	if (elf_interpreter) {
-		unsigned long uninitialized_var(interp_map_addr);
+		unsigned long interp_map_addr = 0;
 
 		elf_entry = load_elf_interp(&loc->interp_elf_ex,
 					    interpreter,

Re: [RFC PATCH 1/2] binfmt_elf: Fix corner case kfree of uninitialized data

[Andrew Morton]

On Wed, 19 Sep 2012 15:44:35 +0100
Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:

> Could do with double checking...
> 
> From: Alan Cox <alan@linux.intel.com>
> 
> If elf_core_dump is called and fill_note_info fails in the kmalloc then
> it returns 0 but has not yet initialised all the needed fields. As a result
> we do a kfree(randomness) after correctly skipping the thread data.
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>
> ---
> 
>  fs/binfmt_elf.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 1b4efbc..bf6d82b 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -1492,8 +1492,10 @@ static int fill_note_info(struct elfhdr *elf, int phdrs,
>  	info->thread = NULL;
>  
>  	psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
> -	if (psinfo == NULL)
> +	if (psinfo == NULL) {
> +		info->psinfo.data = NULL;	/* So we don't free this wrongly */
>  		return 0;
> +        }
>  
>  	fill_note(&info->psinfo, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);

afaict it's NotABug, because fill_note_info() does

	info->thread = NULL;

	psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL);
	if (psinfo == NULL) {

and free_note_info() does

        struct elf_thread_core_info *threads = info->thread;
        while (threads) {

so free_note_info() won't enter the freeing loop at all.

Which is just as well, because info->thread_notes is uninitialised at
this time.


It all looks rather fragile - I'm wondering if it would be sanest to
memset `info' right at the outset in elf_core_dump(), then weed out all
the now-unneeded zeroizings in fill_note_info().


Also, how irritating is it that fill_note_info() has a local var
`psinfo' which has a different type from info->psinfo.  That had me
running around for a while...

Re: [RFC PATCH 2/2] binfmt_elf: Uninitialized variable

[Andrew Morton]

On Wed, 19 Sep 2012 15:45:01 +0100
Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:

> load_elf_interp has interp_map_addr carefully described as
> "uninitialized_var" and marked so as to avoid a warning. However
> if you trace the code it is passed into load_elf_interp and then
> this value is checked against NULL.
> 
> As this return value isn't used this is actually safe but it freaks
> various analysis tools that see un-initialized memory addresses
> being read before their value is ever defined.
> 
> Set it to NULL as a matter of programming good taste if nothing else
> 
> Signed-off-by: Alan Cox <alan@linux.intel.com>
> ---
> 
>  fs/binfmt_elf.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index bf6d82b..5fb4801 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -880,7 +880,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
>  	}
>  
>  	if (elf_interpreter) {
> -		unsigned long uninitialized_var(interp_map_addr);
> +		unsigned long interp_map_addr = 0;
>  
>  		elf_entry = load_elf_interp(&loc->interp_elf_ex,
>  					    interpreter,

That looks right to me.