mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-30 01:46:30 -05:00
51 lines
1.4 KiB
Diff
51 lines
1.4 KiB
Diff
|
From 9b854303a58e8e0f4d9c40010fc88d5c280706d9 Mon Sep 17 00:00:00 2001
|
||
|
From: Andrea Arcangeli <andrea@cpushare.com>
|
||
|
Date: Tue, 25 Jul 2017 22:22:45 +0200
|
||
|
Subject: [PATCH] fs/exec: fix use after free in execve
|
||
|
|
||
|
"file" can be already freed if bprm->file is NULL after
|
||
|
search_binary_handler() return. binfmt_script will do exactly that for
|
||
|
example. If the VM reuses the file after fput run(), this will result in
|
||
|
a use ater free.
|
||
|
|
||
|
So obtain d_is_su before search_binary_handler() runs.
|
||
|
|
||
|
This should explain this crash:
|
||
|
|
||
|
[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
|
||
|
[..]
|
||
|
[25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474
|
||
|
|
||
|
Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
|
||
|
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
|
||
|
---
|
||
|
|
||
|
diff --git a/fs/exec.c b/fs/exec.c
|
||
|
index 0ca8cba..c98c680 100644
|
||
|
--- a/fs/exec.c
|
||
|
+++ b/fs/exec.c
|
||
|
@@ -1490,6 +1490,7 @@
|
||
|
bool clear_in_exec;
|
||
|
int retval;
|
||
|
const struct cred *cred = current_cred();
|
||
|
+ bool is_su;
|
||
|
|
||
|
/*
|
||
|
* We move the actual failure in case of RLIMIT_NPROC excess from
|
||
|
@@ -1566,11 +1567,14 @@
|
||
|
if (retval < 0)
|
||
|
goto out;
|
||
|
|
||
|
+ /* search_binary_handler can release file and it may be freed */
|
||
|
+ is_su = d_is_su(file->f_dentry);
|
||
|
+
|
||
|
retval = search_binary_handler(bprm);
|
||
|
if (retval < 0)
|
||
|
goto out;
|
||
|
|
||
|
- if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
|
||
|
+ if (is_su && capable(CAP_SYS_ADMIN)) {
|
||
|
current->flags |= PF_SU;
|
||
|
su_exec();
|
||
|
}
|