From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>, jannh@google.com
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Kees Cook <keescook@chromium.org>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Arnd Bergmann <arnd@arndb.de>,
Geert Uytterhoeven <geert@linux-m68k.org>,
linux-m68k@lists.linux-m68k.org,
Russell King <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH] binfmt_flat: make load_flat_shared_library() work
Date: Fri, 24 May 2019 22:18:17 +0200 [thread overview]
Message-ID: <20190524201817.16509-1-jannh@google.com> (raw)
load_flat_shared_library() is broken: It only calls load_flat_file() if
prepare_binprm() returns zero, but prepare_binprm() returns the number of
bytes read - so this only happens if the file is empty.
Instead, call into load_flat_file() if the number of bytes read is
non-negative. (Even if the number of bytes is zero - in that case,
load_flat_file() will see nullbytes and return a nice -ENOEXEC.)
In addition, remove the code related to bprm creds and stop using
prepare_binprm() - this code is loading a library, not a main executable,
and it only actually uses the members "buf", "file" and "filename" of the
linux_binprm struct. Instead, call kernel_read() directly.
Cc: stable@vger.kernel.org
Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses")
Signed-off-by: Jann Horn <jannh@google.com>
---
I only found the bug by looking at the code, I have not verified its
existence at runtime.
Also, this patch is compile-tested only.
It would be nice if someone who works with nommu Linux could have a
look at this patch.
akpm's tree is the right one for this patch, right?
fs/binfmt_flat.c | 23 +++++++----------------
1 file changed, 7 insertions(+), 16 deletions(-)
diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
index 82a48e830018..e4b59e76afb0 100644
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -856,9 +856,14 @@ static int load_flat_file(struct linux_binprm *bprm,
static int load_flat_shared_library(int id, struct lib_info *libs)
{
+ /*
+ * This is a fake bprm struct; only the members "buf", "file" and
+ * "filename" are actually used.
+ */
struct linux_binprm bprm;
int res;
char buf[16];
+ loff_t pos = 0;
memset(&bprm, 0, sizeof(bprm));
@@ -872,25 +877,11 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
if (IS_ERR(bprm.file))
return res;
- bprm.cred = prepare_exec_creds();
- res = -ENOMEM;
- if (!bprm.cred)
- goto out;
-
- /* We don't really care about recalculating credentials at this point
- * as we're past the point of no return and are dealing with shared
- * libraries.
- */
- bprm.called_set_creds = 1;
+ res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos);
- res = prepare_binprm(&bprm);
-
- if (!res)
+ if (res >= 0)
res = load_flat_file(&bprm, libs, id, NULL);
- abort_creds(bprm.cred);
-
-out:
allow_write_access(bprm.file);
fput(bprm.file);
--
2.22.0.rc1.257.g3120a18244-goog
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>, jannh@google.com
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
linux-kernel@vger.kernel.org,
Russell King <linux@armlinux.org.uk>,
linux-m68k@lists.linux-m68k.org,
Geert Uytterhoeven <geert@linux-m68k.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH] binfmt_flat: make load_flat_shared_library() work
Date: Fri, 24 May 2019 22:18:17 +0200 [thread overview]
Message-ID: <20190524201817.16509-1-jannh@google.com> (raw)
load_flat_shared_library() is broken: It only calls load_flat_file() if
prepare_binprm() returns zero, but prepare_binprm() returns the number of
bytes read - so this only happens if the file is empty.
Instead, call into load_flat_file() if the number of bytes read is
non-negative. (Even if the number of bytes is zero - in that case,
load_flat_file() will see nullbytes and return a nice -ENOEXEC.)
In addition, remove the code related to bprm creds and stop using
prepare_binprm() - this code is loading a library, not a main executable,
and it only actually uses the members "buf", "file" and "filename" of the
linux_binprm struct. Instead, call kernel_read() directly.
Cc: stable@vger.kernel.org
Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses")
Signed-off-by: Jann Horn <jannh@google.com>
---
I only found the bug by looking at the code, I have not verified its
existence at runtime.
Also, this patch is compile-tested only.
It would be nice if someone who works with nommu Linux could have a
look at this patch.
akpm's tree is the right one for this patch, right?
fs/binfmt_flat.c | 23 +++++++----------------
1 file changed, 7 insertions(+), 16 deletions(-)
diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
index 82a48e830018..e4b59e76afb0 100644
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -856,9 +856,14 @@ static int load_flat_file(struct linux_binprm *bprm,
static int load_flat_shared_library(int id, struct lib_info *libs)
{
+ /*
+ * This is a fake bprm struct; only the members "buf", "file" and
+ * "filename" are actually used.
+ */
struct linux_binprm bprm;
int res;
char buf[16];
+ loff_t pos = 0;
memset(&bprm, 0, sizeof(bprm));
@@ -872,25 +877,11 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
if (IS_ERR(bprm.file))
return res;
- bprm.cred = prepare_exec_creds();
- res = -ENOMEM;
- if (!bprm.cred)
- goto out;
-
- /* We don't really care about recalculating credentials at this point
- * as we're past the point of no return and are dealing with shared
- * libraries.
- */
- bprm.called_set_creds = 1;
+ res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos);
- res = prepare_binprm(&bprm);
-
- if (!res)
+ if (res >= 0)
res = load_flat_file(&bprm, libs, id, NULL);
- abort_creds(bprm.cred);
-
-out:
allow_write_access(bprm.file);
fput(bprm.file);
--
2.22.0.rc1.257.g3120a18244-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2019-05-24 20:18 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-24 20:18 Jann Horn [this message]
2019-05-24 20:18 ` [PATCH] binfmt_flat: make load_flat_shared_library() work Jann Horn
2019-05-25 21:43 ` Andrew Morton
2019-05-25 21:43 ` Andrew Morton
2019-05-27 13:38 ` Jann Horn
2019-05-27 13:38 ` Jann Horn
2019-05-27 14:37 ` Nicolas Pitre
2019-05-27 14:37 ` Nicolas Pitre
2019-05-28 10:56 ` Greg Ungerer
2019-05-28 10:56 ` Greg Ungerer
2019-05-28 10:56 ` Greg Ungerer
2019-05-29 11:52 ` Arnd Bergmann
2019-05-29 11:52 ` Arnd Bergmann
2019-05-28 10:56 ` Greg Ungerer
2019-05-28 10:56 ` Greg Ungerer
2019-05-28 10:56 ` Greg Ungerer
2019-05-29 12:05 ` Arnd Bergmann
2019-05-29 12:05 ` Arnd Bergmann
2019-05-29 12:29 ` Greg Ungerer
2019-05-29 12:29 ` Greg Ungerer
2019-05-29 13:41 ` Arnd Bergmann
2019-05-29 13:41 ` Arnd Bergmann
2019-06-02 7:21 ` Sergei Poselenov
2019-06-02 7:21 ` Sergei Poselenov
2019-05-29 12:32 ` John Paul Adrian Glaubitz
2019-05-29 12:32 ` John Paul Adrian Glaubitz
2019-05-29 12:32 ` John Paul Adrian Glaubitz
2019-05-29 12:38 ` Jann Horn
2019-05-29 12:38 ` Jann Horn
2019-05-29 12:47 ` John Paul Adrian Glaubitz
2019-05-29 12:47 ` John Paul Adrian Glaubitz
2019-05-29 12:40 ` Greg Ungerer
2019-05-29 12:40 ` Greg Ungerer
2019-05-29 13:16 ` Andreas Schwab
2019-05-29 13:16 ` Andreas Schwab
2019-05-29 13:18 ` John Paul Adrian Glaubitz
2019-05-29 13:18 ` John Paul Adrian Glaubitz
[not found] ` <20190529131501.A44162183F@mail.kernel.org>
2019-05-29 14:09 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190524201817.16509-1-jannh@google.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=geert@linux-m68k.org \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux@armlinux.org.uk \
--cc=nicolas.pitre@linaro.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.