mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 13:53:33 +00:00
Code Issues Releases Wiki Activity

[PATCH] Potential DOS in load_elf_library

Browse source 
Yichen Xie <yxie@cs.stanford.edu> points out that load_elf_library can
modify `elf_phdata' before freeing it.

CAN-2005-0749 is assigned to this issue.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
This commit is contained in:
Herbert Xu 2005-03-25 17:50:52 -08:00 committed by Greg KH
parent 719f9e713a
commit e1c94ff436
1 changed files with 17 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
fs/binfmt_elf.c
View file

@ -1008,6 +1008,7 @@ static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs)
static int load_elf_library(struct file *file) static int load_elf_library(struct file *file)
{ {
struct elf_phdr *elf_phdata; struct elf_phdr *elf_phdata;
struct elf_phdr *eppnt;
unsigned long elf_bss, bss, len; unsigned long elf_bss, bss, len;
int retval, error, i, j; int retval, error, i, j;
struct elfhdr elf_ex; struct elfhdr elf_ex;
@ -1031,44 +1032,47 @@ static int load_elf_library(struct file *file)
/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */ /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
error = -ENOMEM; error = -ENOMEM;
elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL); elf_phdata = kmalloc(j, GFP_KERNEL);
if (!elf_phdata) if (!elf_phdata)
goto out; goto out;
eppnt = elf_phdata;
error = -ENOEXEC; error = -ENOEXEC;
retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j); retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
if (retval != j) if (retval != j)
goto out_free_ph; goto out_free_ph;
for (j = 0, i = 0; i<elf_ex.e_phnum; i++) for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
if ((elf_phdata + i)->p_type == PT_LOAD) j++; if ((eppnt + i)->p_type == PT_LOAD)
j++;
if (j != 1) if (j != 1)
goto out_free_ph; goto out_free_ph;
while (elf_phdata->p_type != PT_LOAD) elf_phdata++; while (eppnt->p_type != PT_LOAD)
eppnt++;
/* Now use mmap to map the library into memory. */ /* Now use mmap to map the library into memory. */
down_write(&current->mm->mmap_sem); down_write(&current->mm->mmap_sem);
error = do_mmap(file, error = do_mmap(file,
ELF_PAGESTART(elf_phdata->p_vaddr), ELF_PAGESTART(eppnt->p_vaddr),
(elf_phdata->p_filesz + (eppnt->p_filesz +
ELF_PAGEOFFSET(elf_phdata->p_vaddr)), ELF_PAGEOFFSET(eppnt->p_vaddr)),
PROT_READ | PROT_WRITE | PROT_EXEC, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
(elf_phdata->p_offset - (eppnt->p_offset -
ELF_PAGEOFFSET(elf_phdata->p_vaddr))); ELF_PAGEOFFSET(eppnt->p_vaddr)));
up_write(&current->mm->mmap_sem); up_write(&current->mm->mmap_sem);
if (error != ELF_PAGESTART(elf_phdata->p_vaddr)) if (error != ELF_PAGESTART(eppnt->p_vaddr))
goto out_free_ph; goto out_free_ph;
elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz; elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
if (padzero(elf_bss)) { if (padzero(elf_bss)) {
error = -EFAULT; error = -EFAULT;
goto out_free_ph; goto out_free_ph;
} }
len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1); len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
bss = elf_phdata->p_memsz + elf_phdata->p_vaddr; bss = eppnt->p_memsz + eppnt->p_vaddr;
if (bss > len) { if (bss > len) {
down_write(&current->mm->mmap_sem); down_write(&current->mm->mmap_sem);
do_brk(len, bss - len); do_brk(len, bss - len);