[PATCH] get rid of leak in compat_execve()
Even though copy_compat_strings() doesn't cache the pages, copy_strings_kernel() and stuff indirectly called by e.g. ->load_binary() is doing that, so we need to drop the cache contents in the end. [found by WANG Cong <wangcong@zeuux.org>] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
5f719558ed
commit
08a6fac1c6
3 changed files with 11 additions and 6 deletions
|
@ -1405,7 +1405,7 @@ int compat_do_execve(char * filename,
|
||||||
/* execve success */
|
/* execve success */
|
||||||
security_bprm_free(bprm);
|
security_bprm_free(bprm);
|
||||||
acct_update_integrals(current);
|
acct_update_integrals(current);
|
||||||
kfree(bprm);
|
free_bprm(bprm);
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1424,7 +1424,7 @@ int compat_do_execve(char * filename,
|
||||||
}
|
}
|
||||||
|
|
||||||
out_kfree:
|
out_kfree:
|
||||||
kfree(bprm);
|
free_bprm(bprm);
|
||||||
|
|
||||||
out_ret:
|
out_ret:
|
||||||
return retval;
|
return retval;
|
||||||
|
|
12
fs/exec.c
12
fs/exec.c
|
@ -1251,6 +1251,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
|
||||||
|
|
||||||
EXPORT_SYMBOL(search_binary_handler);
|
EXPORT_SYMBOL(search_binary_handler);
|
||||||
|
|
||||||
|
void free_bprm(struct linux_binprm *bprm)
|
||||||
|
{
|
||||||
|
free_arg_pages(bprm);
|
||||||
|
kfree(bprm);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* sys_execve() executes a new program.
|
* sys_execve() executes a new program.
|
||||||
*/
|
*/
|
||||||
|
@ -1320,17 +1326,15 @@ int do_execve(char * filename,
|
||||||
retval = search_binary_handler(bprm,regs);
|
retval = search_binary_handler(bprm,regs);
|
||||||
if (retval >= 0) {
|
if (retval >= 0) {
|
||||||
/* execve success */
|
/* execve success */
|
||||||
free_arg_pages(bprm);
|
|
||||||
security_bprm_free(bprm);
|
security_bprm_free(bprm);
|
||||||
acct_update_integrals(current);
|
acct_update_integrals(current);
|
||||||
kfree(bprm);
|
free_bprm(bprm);
|
||||||
if (displaced)
|
if (displaced)
|
||||||
put_files_struct(displaced);
|
put_files_struct(displaced);
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
out:
|
out:
|
||||||
free_arg_pages(bprm);
|
|
||||||
if (bprm->security)
|
if (bprm->security)
|
||||||
security_bprm_free(bprm);
|
security_bprm_free(bprm);
|
||||||
|
|
||||||
|
@ -1344,7 +1348,7 @@ int do_execve(char * filename,
|
||||||
fput(bprm->file);
|
fput(bprm->file);
|
||||||
}
|
}
|
||||||
out_kfree:
|
out_kfree:
|
||||||
kfree(bprm);
|
free_bprm(bprm);
|
||||||
|
|
||||||
out_files:
|
out_files:
|
||||||
if (displaced)
|
if (displaced)
|
||||||
|
|
|
@ -99,6 +99,7 @@ extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm);
|
||||||
extern void compute_creds(struct linux_binprm *binprm);
|
extern void compute_creds(struct linux_binprm *binprm);
|
||||||
extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
|
extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
|
||||||
extern int set_binfmt(struct linux_binfmt *new);
|
extern int set_binfmt(struct linux_binfmt *new);
|
||||||
|
extern void free_bprm(struct linux_binprm *);
|
||||||
|
|
||||||
#endif /* __KERNEL__ */
|
#endif /* __KERNEL__ */
|
||||||
#endif /* _LINUX_BINFMTS_H */
|
#endif /* _LINUX_BINFMTS_H */
|
||||||
|
|
Loading…
Reference in a new issue