mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 13:53:33 +00:00
[PATCH] Potential DOS in load_elf_library
Yichen Xie <yxie@cs.stanford.edu> points out that load_elf_library can modify `elf_phdata' before freeing it. CAN-2005-0749 is assigned to this issue. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Chris Wright <chrisw@osdl.org>
This commit is contained in:
parent
719f9e713a
commit
e1c94ff436
1 changed files with 17 additions and 13 deletions
|
@ -1008,6 +1008,7 @@ static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs)
|
|||
static int load_elf_library(struct file *file)
|
||||
{
|
||||
struct elf_phdr *elf_phdata;
|
||||
struct elf_phdr *eppnt;
|
||||
unsigned long elf_bss, bss, len;
|
||||
int retval, error, i, j;
|
||||
struct elfhdr elf_ex;
|
||||
|
@ -1031,44 +1032,47 @@ static int load_elf_library(struct file *file)
|
|||
/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
|
||||
|
||||
error = -ENOMEM;
|
||||
elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
|
||||
elf_phdata = kmalloc(j, GFP_KERNEL);
|
||||
if (!elf_phdata)
|
||||
goto out;
|
||||
|
||||
eppnt = elf_phdata;
|
||||
error = -ENOEXEC;
|
||||
retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
|
||||
retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
|
||||
if (retval != j)
|
||||
goto out_free_ph;
|
||||
|
||||
for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
|
||||
if ((elf_phdata + i)->p_type == PT_LOAD) j++;
|
||||
if ((eppnt + i)->p_type == PT_LOAD)
|
||||
j++;
|
||||
if (j != 1)
|
||||
goto out_free_ph;
|
||||
|
||||
while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
|
||||
while (eppnt->p_type != PT_LOAD)
|
||||
eppnt++;
|
||||
|
||||
/* Now use mmap to map the library into memory. */
|
||||
down_write(¤t->mm->mmap_sem);
|
||||
error = do_mmap(file,
|
||||
ELF_PAGESTART(elf_phdata->p_vaddr),
|
||||
(elf_phdata->p_filesz +
|
||||
ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
|
||||
ELF_PAGESTART(eppnt->p_vaddr),
|
||||
(eppnt->p_filesz +
|
||||
ELF_PAGEOFFSET(eppnt->p_vaddr)),
|
||||
PROT_READ | PROT_WRITE | PROT_EXEC,
|
||||
MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
|
||||
(elf_phdata->p_offset -
|
||||
ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
|
||||
(eppnt->p_offset -
|
||||
ELF_PAGEOFFSET(eppnt->p_vaddr)));
|
||||
up_write(¤t->mm->mmap_sem);
|
||||
if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
|
||||
if (error != ELF_PAGESTART(eppnt->p_vaddr))
|
||||
goto out_free_ph;
|
||||
|
||||
elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
|
||||
elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
|
||||
if (padzero(elf_bss)) {
|
||||
error = -EFAULT;
|
||||
goto out_free_ph;
|
||||
}
|
||||
|
||||
len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
|
||||
bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
|
||||
len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
|
||||
bss = eppnt->p_memsz + eppnt->p_vaddr;
|
||||
if (bss > len) {
|
||||
down_write(¤t->mm->mmap_sem);
|
||||
do_brk(len, bss - len);
|
||||
|
|
Loading…
Reference in a new issue