From: Oleg Nesterov <oleg@redhat.com> Date: Wed, 1 Dec 2010 16:43:50 -0500 Subject: [fs] exec: copy fixes into compat_do_execve paths Message-id: <20101201164350.GF1758@redhat.com> Patchwork-id: 29772 O-Subject: [RHEL5.6 PATCH 3/3] bz625694: exec: copy-and-paste the fixes into compat_do_execve() paths Bugzilla: 625694 CVE: CVE-2010-4243 https://bugzilla.redhat.com/show_bug.cgi?id=625694 Upsteram commit 114279be2120a916e8a04feeb2ac976a10016f2f Author: Oleg Nesterov <oleg@redhat.com> Date: Tue Nov 30 20:56:02 2010 +0100 exec: copy-and-paste the fixes into compat_do_execve() paths Note: this patch targets 2.6.37 and tries to be as simple as possible. That is why it adds more copy-and-paste horror into fs/compat.c and uglifies fs/exec.c, this will be cleanuped later. compat_copy_strings() plays with bprm->vma/mm directly and thus has two problems: it lacks the RLIMIT_STACK check and argv/envp memory is not visible to oom killer. Export acct_arg_size() and get_arg_page(), change compat_copy_strings() to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0) as do_execve() does. Add the fatal_signal_pending/cond_resched checks into compat_count() and compat_copy_strings(), this matches the code in fs/exec.c and certainly makes sense. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Note: as for cleanups mentioned in the changelog, I sent them upstream but I don't think this is RHEL material. Signed-off-by: Oleg Nesterov <oleg@redhat.com> diff --git a/fs/compat.c b/fs/compat.c index c77b194..0405487 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -1427,6 +1427,10 @@ static int compat_count(compat_uptr_t __user *argv, int max) argv++; if(++i > max) return -E2BIG; + + if (fatal_signal_pending(current)) + return -ERESTARTNOHAND; + cond_resched(); } } return i; @@ -1468,6 +1472,12 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv, while (len > 0) { int offset, bytes_to_copy; + if (fatal_signal_pending(current)) { + ret = -ERESTARTNOHAND; + goto out; + } + cond_resched(); + offset = pos % PAGE_SIZE; if (offset == 0) offset = PAGE_SIZE; @@ -1484,18 +1494,8 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv, if (!kmapped_page || kpos != (pos & PAGE_MASK)) { struct page *page; -#ifdef CONFIG_STACK_GROWSUP - ret = expand_stack_downwards(bprm->vma, pos); - if (ret < 0) { - /* We've exceed the stack rlimit. */ - ret = -E2BIG; - goto out; - } -#endif - ret = get_user_pages(current, bprm->mm, pos, - 1, 1, 1, &page, NULL); - if (ret <= 0) { - /* We've exceed the stack rlimit. */ + page = get_arg_page(bprm, pos, 1); + if (!page) { ret = -E2BIG; goto out; } @@ -1604,8 +1604,10 @@ out: security_bprm_free(bprm); out_mm: - if (bprm->mm) + if (bprm->mm) { + acct_arg_size(bprm, 0); mmput(bprm->mm); + } out_file: if (bprm->file) { diff --git a/fs/exec.c b/fs/exec.c index d6f4971..2b561ff 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -179,7 +179,7 @@ exit: #ifdef CONFIG_MMU -static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) +void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) { struct mm_struct *mm = current->mm; long diff = (long)(pages - bprm->vma_pages); @@ -306,7 +306,7 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len) #else -static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) +void acct_arg_size(struct linux_binprm *bprm, unsigned long pages) { } diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index b05117c..d16b5b8 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -49,6 +49,10 @@ struct linux_binprm{ #endif }; +extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages); +extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, + int write); + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)