From: Jann Horn <jannh@google.com> To: Andrew Morton <akpm@linux-foundation.org>, jannh@google.com Cc: Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Kees Cook <keescook@chromium.org>, Nicolas Pitre <nicolas.pitre@linaro.org>, Arnd Bergmann <arnd@arndb.de>, Geert Uytterhoeven <geert@linux-m68k.org>, linux-m68k@lists.linux-m68k.org, Russell King <linux@armlinux.org.uk>, linux-arm-kernel@lists.infradead.org Subject: [PATCH] binfmt_flat: make load_flat_shared_library() work Date: Fri, 24 May 2019 22:18:17 +0200 [thread overview] Message-ID: <20190524201817.16509-1-jannh@google.com> (raw) load_flat_shared_library() is broken: It only calls load_flat_file() if prepare_binprm() returns zero, but prepare_binprm() returns the number of bytes read - so this only happens if the file is empty. Instead, call into load_flat_file() if the number of bytes read is non-negative. (Even if the number of bytes is zero - in that case, load_flat_file() will see nullbytes and return a nice -ENOEXEC.) In addition, remove the code related to bprm creds and stop using prepare_binprm() - this code is loading a library, not a main executable, and it only actually uses the members "buf", "file" and "filename" of the linux_binprm struct. Instead, call kernel_read() directly. Cc: stable@vger.kernel.org Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") Signed-off-by: Jann Horn <jannh@google.com> --- I only found the bug by looking at the code, I have not verified its existence at runtime. Also, this patch is compile-tested only. It would be nice if someone who works with nommu Linux could have a look at this patch. akpm's tree is the right one for this patch, right? fs/binfmt_flat.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index 82a48e830018..e4b59e76afb0 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -856,9 +856,14 @@ static int load_flat_file(struct linux_binprm *bprm, static int load_flat_shared_library(int id, struct lib_info *libs) { + /* + * This is a fake bprm struct; only the members "buf", "file" and + * "filename" are actually used. + */ struct linux_binprm bprm; int res; char buf[16]; + loff_t pos = 0; memset(&bprm, 0, sizeof(bprm)); @@ -872,25 +877,11 @@ static int load_flat_shared_library(int id, struct lib_info *libs) if (IS_ERR(bprm.file)) return res; - bprm.cred = prepare_exec_creds(); - res = -ENOMEM; - if (!bprm.cred) - goto out; - - /* We don't really care about recalculating credentials at this point - * as we're past the point of no return and are dealing with shared - * libraries. - */ - bprm.called_set_creds = 1; + res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); - res = prepare_binprm(&bprm); - - if (!res) + if (res >= 0) res = load_flat_file(&bprm, libs, id, NULL); - abort_creds(bprm.cred); - -out: allow_write_access(bprm.file); fput(bprm.file); -- 2.22.0.rc1.257.g3120a18244-goog
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com> To: Andrew Morton <akpm@linux-foundation.org>, jannh@google.com Cc: Nicolas Pitre <nicolas.pitre@linaro.org>, Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>, linux-kernel@vger.kernel.org, Russell King <linux@armlinux.org.uk>, linux-m68k@lists.linux-m68k.org, Geert Uytterhoeven <geert@linux-m68k.org>, Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH] binfmt_flat: make load_flat_shared_library() work Date: Fri, 24 May 2019 22:18:17 +0200 [thread overview] Message-ID: <20190524201817.16509-1-jannh@google.com> (raw) load_flat_shared_library() is broken: It only calls load_flat_file() if prepare_binprm() returns zero, but prepare_binprm() returns the number of bytes read - so this only happens if the file is empty. Instead, call into load_flat_file() if the number of bytes read is non-negative. (Even if the number of bytes is zero - in that case, load_flat_file() will see nullbytes and return a nice -ENOEXEC.) In addition, remove the code related to bprm creds and stop using prepare_binprm() - this code is loading a library, not a main executable, and it only actually uses the members "buf", "file" and "filename" of the linux_binprm struct. Instead, call kernel_read() directly. Cc: stable@vger.kernel.org Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") Signed-off-by: Jann Horn <jannh@google.com> --- I only found the bug by looking at the code, I have not verified its existence at runtime. Also, this patch is compile-tested only. It would be nice if someone who works with nommu Linux could have a look at this patch. akpm's tree is the right one for this patch, right? fs/binfmt_flat.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index 82a48e830018..e4b59e76afb0 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -856,9 +856,14 @@ static int load_flat_file(struct linux_binprm *bprm, static int load_flat_shared_library(int id, struct lib_info *libs) { + /* + * This is a fake bprm struct; only the members "buf", "file" and + * "filename" are actually used. + */ struct linux_binprm bprm; int res; char buf[16]; + loff_t pos = 0; memset(&bprm, 0, sizeof(bprm)); @@ -872,25 +877,11 @@ static int load_flat_shared_library(int id, struct lib_info *libs) if (IS_ERR(bprm.file)) return res; - bprm.cred = prepare_exec_creds(); - res = -ENOMEM; - if (!bprm.cred) - goto out; - - /* We don't really care about recalculating credentials at this point - * as we're past the point of no return and are dealing with shared - * libraries. - */ - bprm.called_set_creds = 1; + res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); - res = prepare_binprm(&bprm); - - if (!res) + if (res >= 0) res = load_flat_file(&bprm, libs, id, NULL); - abort_creds(bprm.cred); - -out: allow_write_access(bprm.file); fput(bprm.file); -- 2.22.0.rc1.257.g3120a18244-goog _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2019-05-24 20:18 UTC|newest] Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-05-24 20:18 Jann Horn [this message] 2019-05-24 20:18 ` [PATCH] binfmt_flat: make load_flat_shared_library() work Jann Horn 2019-05-25 21:43 ` Andrew Morton 2019-05-25 21:43 ` Andrew Morton 2019-05-27 13:38 ` Jann Horn 2019-05-27 13:38 ` Jann Horn 2019-05-27 14:37 ` Nicolas Pitre 2019-05-27 14:37 ` Nicolas Pitre 2019-05-28 10:56 ` Greg Ungerer 2019-05-28 10:56 ` Greg Ungerer 2019-05-28 10:56 ` Greg Ungerer 2019-05-29 11:52 ` Arnd Bergmann 2019-05-29 11:52 ` Arnd Bergmann 2019-05-28 10:56 ` Greg Ungerer 2019-05-28 10:56 ` Greg Ungerer 2019-05-28 10:56 ` Greg Ungerer 2019-05-29 12:05 ` Arnd Bergmann 2019-05-29 12:05 ` Arnd Bergmann 2019-05-29 12:29 ` Greg Ungerer 2019-05-29 12:29 ` Greg Ungerer 2019-05-29 13:41 ` Arnd Bergmann 2019-05-29 13:41 ` Arnd Bergmann 2019-06-02 7:21 ` Sergei Poselenov 2019-06-02 7:21 ` Sergei Poselenov 2019-05-29 12:32 ` John Paul Adrian Glaubitz 2019-05-29 12:32 ` John Paul Adrian Glaubitz 2019-05-29 12:32 ` John Paul Adrian Glaubitz 2019-05-29 12:38 ` Jann Horn 2019-05-29 12:38 ` Jann Horn 2019-05-29 12:47 ` John Paul Adrian Glaubitz 2019-05-29 12:47 ` John Paul Adrian Glaubitz 2019-05-29 12:40 ` Greg Ungerer 2019-05-29 12:40 ` Greg Ungerer 2019-05-29 13:16 ` Andreas Schwab 2019-05-29 13:16 ` Andreas Schwab 2019-05-29 13:18 ` John Paul Adrian Glaubitz 2019-05-29 13:18 ` John Paul Adrian Glaubitz [not found] ` <20190529131501.A44162183F@mail.kernel.org> 2019-05-29 14:09 ` Jann Horn
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190524201817.16509-1-jannh@google.com \ --to=jannh@google.com \ --cc=akpm@linux-foundation.org \ --cc=arnd@arndb.de \ --cc=geert@linux-m68k.org \ --cc=keescook@chromium.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-m68k@lists.linux-m68k.org \ --cc=linux@armlinux.org.uk \ --cc=nicolas.pitre@linaro.org \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.