From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 572A5C5B57D for ; Tue, 2 Jul 2019 08:09:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2F11821855 for ; Tue, 2 Jul 2019 08:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054960; bh=Egxd7GBmipUcSfGsZsrwiyABLjDIQUu5RtV2kIjuesA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Tc5EKs7eqmYhKPhJLTIcNPPGv+BuKxa8VTjkIr0qKE0LRngQXBH+QQqDyrJ/JDD9w RRiFSMBUAYost+nUb7uv1IyFhpIA2AEJF3Fm+f8Gu6FIKEjR4Oku/z0IUK53F2/90h nmGPUZiTDsUcXVxn6G0I8wbnFuwN4N+tWCgNwssk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728631AbfGBIJS (ORCPT ); Tue, 2 Jul 2019 04:09:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:57074 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728624AbfGBIJP (ORCPT ); Tue, 2 Jul 2019 04:09:15 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 39092206A2; Tue, 2 Jul 2019 08:09:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054954; bh=Egxd7GBmipUcSfGsZsrwiyABLjDIQUu5RtV2kIjuesA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FP5BYczrdRoKCHWae2Allh5qVe3m2DcK0OTCj4GZ22hUB08JHt/SDTROJujvswNxB g+9GeURdAZVgeUTo0orFpoQRxWTO8/RlmrKP57mxM7OE6EBB8sQ3qngK1FRGg36pZa 6XeWk1x/31N/G8S4AhEppB6uiwSHQ7XKUUFPYnhk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Alexander Viro , Kees Cook , Nicolas Pitre , Arnd Bergmann , Geert Uytterhoeven , Russell King , Greg Ungerer , Andrew Morton , Linus Torvalds Subject: [PATCH 4.14 18/43] fs/binfmt_flat.c: make load_flat_shared_library() work Date: Tue, 2 Jul 2019 10:01:58 +0200 Message-Id: <20190702080124.740115176@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190702080123.904399496@linuxfoundation.org> References: <20190702080123.904399496@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream. load_flat_shared_library() is broken: It only calls load_flat_file() if prepare_binprm() returns zero, but prepare_binprm() returns the number of bytes read - so this only happens if the file is empty. Instead, call into load_flat_file() if the number of bytes read is non-negative. (Even if the number of bytes is zero - in that case, load_flat_file() will see nullbytes and return a nice -ENOEXEC.) In addition, remove the code related to bprm creds and stop using prepare_binprm() - this code is loading a library, not a main executable, and it only actually uses the members "buf", "file" and "filename" of the linux_binprm struct. Instead, call kernel_read() directly. Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") Signed-off-by: Jann Horn Cc: Alexander Viro Cc: Kees Cook Cc: Nicolas Pitre Cc: Arnd Bergmann Cc: Geert Uytterhoeven Cc: Russell King Cc: Greg Ungerer Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/binfmt_flat.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -856,9 +856,14 @@ err: static int load_flat_shared_library(int id, struct lib_info *libs) { + /* + * This is a fake bprm struct; only the members "buf", "file" and + * "filename" are actually used. + */ struct linux_binprm bprm; int res; char buf[16]; + loff_t pos = 0; memset(&bprm, 0, sizeof(bprm)); @@ -872,25 +877,11 @@ static int load_flat_shared_library(int if (IS_ERR(bprm.file)) return res; - bprm.cred = prepare_exec_creds(); - res = -ENOMEM; - if (!bprm.cred) - goto out; - - /* We don't really care about recalculating credentials at this point - * as we're past the point of no return and are dealing with shared - * libraries. - */ - bprm.called_set_creds = 1; - - res = prepare_binprm(&bprm); + res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); - if (!res) + if (res >= 0) res = load_flat_file(&bprm, libs, id, NULL); - abort_creds(bprm.cred); - -out: allow_write_access(bprm.file); fput(bprm.file);