2017-11-07 17:32:46 -05:00

51 lines
1.4 KiB
Diff

From 988e4530c2ce74a789c7cba210520d78b9a10132 Mon Sep 17 00:00:00 2001
From: Andrea Arcangeli <andrea@cpushare.com>
Date: Tue, 25 Jul 2017 22:22:45 +0200
Subject: [PATCH] fs/exec: fix use after free in execve
"file" can be already freed if bprm->file is NULL after
exec_binprm() return. binfmt_script will do exactly that for
example. If the VM reuses the file after fput run(), this will result in
a use ater free.
So obtain d_is_su before exec_binprm() runs.
This should explain this crash:
[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
[..]
[25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474
Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
---
diff --git a/fs/exec.c b/fs/exec.c
index 1838704..69b0dbd 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1458,6 +1458,7 @@
struct file *file;
struct files_struct *displaced;
int retval;
+ bool is_su;
if (IS_ERR(filename))
return PTR_ERR(filename);
@@ -1533,11 +1534,14 @@
if (retval < 0)
goto out;
+ /* search_binary_handler can release file and it may be freed */
+ is_su = d_is_su(file->f_dentry);
+
retval = exec_binprm(bprm);
if (retval < 0)
goto out;
- if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
+ if (is_su && capable(CAP_SYS_ADMIN)) {
current->flags |= PF_SU;
su_exec();
}