From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: "Maciej W. Rozycki" <macro@imgtec.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.13.y-ckt 72/86] binfmt_elf: Don't clobber passed executable's file header
Date: Wed, 2 Dec 2015 14:54:33 -0800 [thread overview]
Message-ID: <1449096887-23017-73-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1449096887-23017-1-git-send-email-kamal@canonical.com>
3.13.11-ckt31 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@imgtec.com>
commit b582ef5c53040c5feef4c96a8f9585b6831e2441 upstream.
Do not clobber the buffer space passed from `search_binary_handler' and
originally preloaded by `prepare_binprm' with the executable's file
header by overwriting it with its interpreter's file header. Instead
keep the buffer space intact and directly use the data structure locally
allocated for the interpreter's file header, fixing a bug introduced in
2.1.14 with loadable module support (linux-mips.org commit beb11695
[Import of Linux/MIPS 2.1.14], predating kernel.org repo's history).
Adjust the amount of data read from the interpreter's file accordingly.
This was not an issue before loadable module support, because back then
`load_elf_binary' was executed only once for a given ELF executable,
whether the function succeeded or failed.
With loadable module support supported and enabled, upon a failure of
`load_elf_binary' -- which may for example be caused by architecture
code rejecting an executable due to a missing hardware feature requested
in the file header -- a module load is attempted and then the function
reexecuted by `search_binary_handler'. With the executable's file
header replaced with its interpreter's file header the executable can
then be erroneously accepted in this subsequent attempt.
Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/binfmt_elf.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 509e7549..2a1c31a 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -682,16 +682,16 @@ static int load_elf_binary(struct linux_binprm *bprm)
*/
would_dump(bprm, interpreter);
- retval = kernel_read(interpreter, 0, bprm->buf,
- BINPRM_BUF_SIZE);
- if (retval != BINPRM_BUF_SIZE) {
+ /* Get the exec headers */
+ retval = kernel_read(interpreter, 0,
+ (void *)&loc->interp_elf_ex,
+ sizeof(loc->interp_elf_ex));
+ if (retval != sizeof(loc->interp_elf_ex)) {
if (retval >= 0)
retval = -EIO;
goto out_free_dentry;
}
- /* Get the exec headers */
- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf);
break;
}
elf_ppnt++;
--
1.9.1
next prev parent reply other threads:[~2015-12-02 23:05 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 22:53 [3.13.y-ckt stable] Linux 3.13.11-ckt31 stable review Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 01/86] x86/setup: Extend low identity map to cover whole kernel range Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 02/86] x86/setup: Fix low identity map for >= 2GB " Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 03/86] drm/radeon: add quirk for MSI R7 370 Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 04/86] drm/radeon: add quirk for ASUS " Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 05/86] drm/radeon: fix quirk for MSI R7 370 Armor 2X Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 06/86] irda: precedence bug in irlmp_seq_hb_idx() Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 07/86] macvtap: unbreak receiving of gro skb with frag list Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 08/86] RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 09/86] stmmac: Correctly report PTP capabilities Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 10/86] ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 11/86] qmi_wwan: fix entry for HP lt4112 LTE/HSPA+ Gobi 4G Module Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 12/86] net: avoid NULL deref in inet_ctl_sock_destroy() Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 13/86] net: fix a race in dst_release() Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 14/86] [3.13-stable only] fib_rules: Fix dump_rules() not to exit early Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 15/86] HID: core: Avoid uninitialized buffer access Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 16/86] [media] v4l2-compat-ioctl32: fix alignment for ARM64 Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 17/86] net: mvneta: Fix CPU_MAP registers initialisation Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 18/86] mtd: mtdpart: fix add_mtd_partitions error path Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 19/86] fs/proc, core/debug: Don't expose absolute kernel addresses via wchan Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 20/86] ARM: 8426/1: dma-mapping: add missing range check in dma_mmap() Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 21/86] ARM: 8427/1: dma-mapping: add support for offset parameter " Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 22/86] spi: ti-qspi: Fix data corruption seen on r/w stress test Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 23/86] lockd: create NSM handles per net namespace Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 24/86] ARM: common: edma: Fix channel parameter for irq callbacks Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 25/86] iommu/vt-d: Fix error in detect ATS capability Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 26/86] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 27/86] ext4: fix potential use after free in __ext4_journal_stop Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 28/86] [PATCH] fix calculation of meta_bg descriptor backups Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 29/86] ext4, jbd2: ensure entering into panic after recording an error in superblock Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 30/86] vTPM: fix memory allocation flag for rtce buffer at kernel boot Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 31/86] [media] media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 32/86] Bluetooth: hidp: fix device disconnect on idle timeout Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 33/86] Bluetooth: ath3k: Add new AR3012 0930:021c id Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 34/86] Bluetooth: ath3k: Add support of AR3012 0cf3:817b device Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 35/86] spi: atmel: Fix DMA-setup for transfers with more than 8 bits per word Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 36/86] staging: rtl8712: Add device ID for Sitecom WLA2100 Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 37/86] ACPI: Use correct IRQ when uninstalling ACPI interrupt handler Kamal Mostafa
2015-12-02 22:53 ` [PATCH 3.13.y-ckt 38/86] ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after resume back Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 39/86] ALSA: hda - Disable 64bit address for Creative HDA controllers Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 40/86] MAINTAINERS: Add public mailing list for ARC Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 41/86] megaraid_sas: Do not use PAGE_SIZE for max_sectors Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 42/86] arm64: Fix compat register mappings Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 43/86] can: Use correct type in sizeof() in nla_put() Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 44/86] mtd: blkdevs: fix potential deadlock + lockdep warnings Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 45/86] Revert "dm mpath: fix stalls when handling invalid ioctls" Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 46/86] crypto: algif_hash - Only export and import on sockets with data Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 47/86] xtensa: fixes for configs without loop option Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 48/86] megaraid_sas : SMAP restriction--do not access user memory from IOCTL code Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 49/86] mac80211: allow null chandef in tracing Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 50/86] recordmcount: Fix endianness handling bug for nop_mcount Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 51/86] KVM: Disable SMAP for guests in EPT realmode and EPT unpaging mode Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 52/86] KVM: VMX: fix SMEP and SMAP without EPT Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 53/86] ALSA: hda - Apply pin fixup for HP ProBook 6550b Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 54/86] ALSA: hda - Add Intel Lewisburg device IDs Audio Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 55/86] firewire: ohci: fix JMicron JMB38x IT context discovery Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 56/86] proc: actually make proc_fd_permission() thread-friendly Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 57/86] printk: prevent userland from spoofing kernel messages Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 58/86] x86/cpu: Call verify_cpu() after having entered long mode too Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 59/86] Btrfs: fix race leading to incorrect item deletion when dropping extents Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 60/86] Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 61/86] perf: Fix inherited events vs. tracepoint filters Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 62/86] scsi_sysfs: Fix queue_ramp_up_period return code Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 63/86] Btrfs: fix race when listing an inode's xattrs Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 64/86] storvsc: Don't set the SRB_FLAGS_QUEUE_ACTION_ENABLE flag Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 65/86] KVM: x86: Defining missing x86 vectors Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 66/86] KVM: x86: work around infinite loop in microcode when #AC is delivered Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 67/86] KVM: svm: unconditionally intercept #DB Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 68/86] drm/ast: Initialized data needed to map fbdev memory Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 69/86] FS-Cache: Increase reference of parent after registering, netfs success Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 70/86] FS-Cache: Don't override netfs's primary_index if registering failed Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 71/86] FS-Cache: Handle a write to the page immediately beyond the EOF marker Kamal Mostafa
2015-12-02 22:54 ` Kamal Mostafa [this message]
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 73/86] wm831x_power: Use IRQF_ONESHOT to request threaded IRQs Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 74/86] mwifiex: fix mwifiex_rdeeprom_read() Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 75/86] dmaengine: dw: convert to __ffs() Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 76/86] devres: fix a for loop bounds check Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 77/86] MIPS: atomic: Fix comment describing atomic64_add_unless's return value Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 78/86] ipv6: fix tunnel error handling Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 79/86] perf trace: Fix documentation for -i Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 80/86] bonding: fix panic on non-ARPHRD_ETHER enslave failure Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 81/86] mac80211: fix driver RSSI event calculations Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 82/86] packet: fix match_fanout_group() Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 83/86] ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 84/86] drm: Fix return value of drm_framebuffer_init() Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 85/86] netfilter: nfnetlink: don't probe module if it exists Kamal Mostafa
2015-12-02 22:54 ` [PATCH 3.13.y-ckt 86/86] TPM: Avoid reference to potentially freed memory Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1449096887-23017-73-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=macro@imgtec.com \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).