mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-04 04:02:26 +00:00
binfmt_elf: safely increment argv pointers
When building the argv/envp pointers, the envp is needlessly pre-incremented instead of just continuing after the argv pointers are finished. In some (likely impossible) race where the strings could be changed from userspace between copy_strings() and here, it might be possible to confuse the envp position. Instead, just use sp like everything else. Link: http://lkml.kernel.org/r/20170622173838.GA43308@beast Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Rik van Riel <riel@redhat.com> Cc: Daniel Micay <danielmicay@gmail.com> Cc: Qualys Security Advisory <qsa@qualys.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Dmitry Safonov <dsafonov@virtuozzo.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com> Cc: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
a73dc5370e
commit
67c6777a5d
@ -163,8 +163,6 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
|
|||||||
unsigned long p = bprm->p;
|
unsigned long p = bprm->p;
|
||||||
int argc = bprm->argc;
|
int argc = bprm->argc;
|
||||||
int envc = bprm->envc;
|
int envc = bprm->envc;
|
||||||
elf_addr_t __user *argv;
|
|
||||||
elf_addr_t __user *envp;
|
|
||||||
elf_addr_t __user *sp;
|
elf_addr_t __user *sp;
|
||||||
elf_addr_t __user *u_platform;
|
elf_addr_t __user *u_platform;
|
||||||
elf_addr_t __user *u_base_platform;
|
elf_addr_t __user *u_base_platform;
|
||||||
@ -304,38 +302,38 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
|
|||||||
/* Now, let's put argc (and argv, envp if appropriate) on the stack */
|
/* Now, let's put argc (and argv, envp if appropriate) on the stack */
|
||||||
if (__put_user(argc, sp++))
|
if (__put_user(argc, sp++))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
argv = sp;
|
|
||||||
envp = argv + argc + 1;
|
|
||||||
|
|
||||||
/* Populate argv and envp */
|
/* Populate list of argv pointers back to argv strings. */
|
||||||
p = current->mm->arg_end = current->mm->arg_start;
|
p = current->mm->arg_end = current->mm->arg_start;
|
||||||
while (argc-- > 0) {
|
while (argc-- > 0) {
|
||||||
size_t len;
|
size_t len;
|
||||||
if (__put_user((elf_addr_t)p, argv++))
|
if (__put_user((elf_addr_t)p, sp++))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
|
len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
|
||||||
if (!len || len > MAX_ARG_STRLEN)
|
if (!len || len > MAX_ARG_STRLEN)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
p += len;
|
p += len;
|
||||||
}
|
}
|
||||||
if (__put_user(0, argv))
|
if (__put_user(0, sp++))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
current->mm->arg_end = current->mm->env_start = p;
|
current->mm->arg_end = p;
|
||||||
|
|
||||||
|
/* Populate list of envp pointers back to envp strings. */
|
||||||
|
current->mm->env_end = current->mm->env_start = p;
|
||||||
while (envc-- > 0) {
|
while (envc-- > 0) {
|
||||||
size_t len;
|
size_t len;
|
||||||
if (__put_user((elf_addr_t)p, envp++))
|
if (__put_user((elf_addr_t)p, sp++))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
|
len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
|
||||||
if (!len || len > MAX_ARG_STRLEN)
|
if (!len || len > MAX_ARG_STRLEN)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
p += len;
|
p += len;
|
||||||
}
|
}
|
||||||
if (__put_user(0, envp))
|
if (__put_user(0, sp++))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
current->mm->env_end = p;
|
current->mm->env_end = p;
|
||||||
|
|
||||||
/* Put the elf_info on the stack in the right place. */
|
/* Put the elf_info on the stack in the right place. */
|
||||||
sp = (elf_addr_t __user *)envp + 1;
|
|
||||||
if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
|
if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
return 0;
|
return 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user