fs/exec: fix use after free in execve
"file" can be already freed if bprm->file is NULL after search_binary_handler() return. binfmt_script will do exactly that for example. If the VM reuses the file after fput run(), this will result in a use ater free. So obtain d_is_su before search_binary_handler() runs. This should explain this crash: [25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185 [..] [25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474 Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
Andrea Arcangeli
Francescodario Cuzzocrea
parent
1963b81b1f
commit
d9d42139ea
|
|
@ -1491,6 +1491,7 @@ static int do_execve_common(const char *filename,
|
|||
bool clear_in_exec;
|
||||
int retval;
|
||||
const struct cred *cred = current_cred();
|
||||
bool is_su;
|
||||
|
||||
/*
|
||||
* We move the actual failure in case of RLIMIT_NPROC excess from
|
||||
|
|
@ -1567,11 +1568,14 @@ static int do_execve_common(const char *filename,
|
|||
if (retval < 0)
|
||||
goto out;
|
||||
|
||||
/* search_binary_handler can release file and it may be freed */
|
||||
is_su = d_is_su(file->f_dentry);
|
||||
|
||||
retval = search_binary_handler(bprm,regs);
|
||||
if (retval < 0)
|
||||
goto out;
|
||||
|
||||
if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
|
||||
if (is_su && capable(CAP_SYS_ADMIN)) {
|
||||
current->flags |= PF_SU;
|
||||
su_exec();
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue