From: Takuya Yoshikawa <[email protected]>
clear_user() returns the number of bytes that could not be copied rather than
an error code. So we should return -EFAULT rather than directly returning the
results.
Without this patch, positive values may be returned to elf_fdpic_map_file()
and the following error handlings do not function as expected.
1.
ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
if (ret < 0)
return ret;
2.
ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
if (ret < 0)
return ret;
Signed-off-by: Takuya Yoshikawa <[email protected]>
Signed-off-by: David Howells <[email protected]>
Acked-by: Mike Frysinger <[email protected]>
CC: Alexander Viro <[email protected]>
CC: Andrew Morton <[email protected]>
CC: Daisuke HATAYAMA <[email protected]>
CC: Paul Mundt <[email protected]>
---
fs/binfmt_elf_fdpic.c | 26 +++++++++++---------------
1 files changed, 11 insertions(+), 15 deletions(-)
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 2c5f9a0..63039ed 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -990,10 +990,9 @@ static int elf_fdpic_map_file_constdisp_on_uclinux(
/* clear any space allocated but not loaded */
if (phdr->p_filesz < phdr->p_memsz) {
- ret = clear_user((void *) (seg->addr + phdr->p_filesz),
- phdr->p_memsz - phdr->p_filesz);
- if (ret)
- return ret;
+ if (clear_user((void *) (seg->addr + phdr->p_filesz),
+ phdr->p_memsz - phdr->p_filesz))
+ return -EFAULT;
}
if (mm) {
@@ -1027,7 +1026,7 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
struct elf32_fdpic_loadseg *seg;
struct elf32_phdr *phdr;
unsigned long load_addr, delta_vaddr;
- int loop, dvset, ret;
+ int loop, dvset;
load_addr = params->load_addr;
delta_vaddr = 0;
@@ -1127,9 +1126,8 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
* PT_LOAD */
if (prot & PROT_WRITE && disp > 0) {
kdebug("clear[%d] ad=%lx sz=%lx", loop, maddr, disp);
- ret = clear_user((void __user *) maddr, disp);
- if (ret)
- return ret;
+ if (clear_user((void __user *) maddr, disp))
+ return -EFAULT;
maddr += disp;
}
@@ -1164,19 +1162,17 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
if (prot & PROT_WRITE && excess1 > 0) {
kdebug("clear[%d] ad=%lx sz=%lx",
loop, maddr + phdr->p_filesz, excess1);
- ret = clear_user((void __user *) maddr + phdr->p_filesz,
- excess1);
- if (ret)
- return ret;
+ if (clear_user((void __user *) maddr + phdr->p_filesz,
+ excess1))
+ return -EFAULT;
}
#else
if (excess > 0) {
kdebug("clear[%d] ad=%lx sz=%lx",
loop, maddr + phdr->p_filesz, excess);
- ret = clear_user((void *) maddr + phdr->p_filesz, excess);
- if (ret)
- return ret;
+ if (clear_user((void *) maddr + phdr->p_filesz, excess))
+ return -EFAULT;
}
#endif
David Howells <[email protected]> wrote:
> From: Takuya Yoshikawa <[email protected]>
>
Thanks for updating, improving, the explanation!
Takuya
> clear_user() returns the number of bytes that could not be copied rather than
> an error code. So we should return -EFAULT rather than directly returning the
> results.
>
> Without this patch, positive values may be returned to elf_fdpic_map_file()
> and the following error handlings do not function as expected.
>
> 1.
> ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
> if (ret < 0)
> return ret;
> 2.
> ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
> if (ret < 0)
> return ret;
>
> Signed-off-by: Takuya Yoshikawa <[email protected]>
> Signed-off-by: David Howells <[email protected]>
> Acked-by: Mike Frysinger <[email protected]>
> CC: Alexander Viro <[email protected]>
> CC: Andrew Morton <[email protected]>
> CC: Daisuke HATAYAMA <[email protected]>
> CC: Paul Mundt <[email protected]>
> ---
>
> fs/binfmt_elf_fdpic.c | 26 +++++++++++---------------
> 1 files changed, 11 insertions(+), 15 deletions(-)
>
>
> diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
> index 2c5f9a0..63039ed 100644
> --- a/fs/binfmt_elf_fdpic.c
> +++ b/fs/binfmt_elf_fdpic.c
> @@ -990,10 +990,9 @@ static int elf_fdpic_map_file_constdisp_on_uclinux(
>
> /* clear any space allocated but not loaded */
> if (phdr->p_filesz < phdr->p_memsz) {
> - ret = clear_user((void *) (seg->addr + phdr->p_filesz),
> - phdr->p_memsz - phdr->p_filesz);
> - if (ret)
> - return ret;
> + if (clear_user((void *) (seg->addr + phdr->p_filesz),
> + phdr->p_memsz - phdr->p_filesz))
> + return -EFAULT;
> }
>
> if (mm) {
> @@ -1027,7 +1026,7 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
> struct elf32_fdpic_loadseg *seg;
> struct elf32_phdr *phdr;
> unsigned long load_addr, delta_vaddr;
> - int loop, dvset, ret;
> + int loop, dvset;
>
> load_addr = params->load_addr;
> delta_vaddr = 0;
> @@ -1127,9 +1126,8 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
> * PT_LOAD */
> if (prot & PROT_WRITE && disp > 0) {
> kdebug("clear[%d] ad=%lx sz=%lx", loop, maddr, disp);
> - ret = clear_user((void __user *) maddr, disp);
> - if (ret)
> - return ret;
> + if (clear_user((void __user *) maddr, disp))
> + return -EFAULT;
> maddr += disp;
> }
>
> @@ -1164,19 +1162,17 @@ static int elf_fdpic_map_file_by_direct_mmap(struct elf_fdpic_params *params,
> if (prot & PROT_WRITE && excess1 > 0) {
> kdebug("clear[%d] ad=%lx sz=%lx",
> loop, maddr + phdr->p_filesz, excess1);
> - ret = clear_user((void __user *) maddr + phdr->p_filesz,
> - excess1);
> - if (ret)
> - return ret;
> + if (clear_user((void __user *) maddr + phdr->p_filesz,
> + excess1))
> + return -EFAULT;
> }
>
> #else
> if (excess > 0) {
> kdebug("clear[%d] ad=%lx sz=%lx",
> loop, maddr + phdr->p_filesz, excess);
> - ret = clear_user((void *) maddr + phdr->p_filesz, excess);
> - if (ret)
> - return ret;
> + if (clear_user((void *) maddr + phdr->p_filesz, excess))
> + return -EFAULT;
> }
> #endif
>
>
--
Takuya Yoshikawa <[email protected]>
On Tue, Jun 01, 2010 at 02:10:47PM +0100, David Howells wrote:
> From: Takuya Yoshikawa <[email protected]>
>
> clear_user() returns the number of bytes that could not be copied rather than
> an error code. So we should return -EFAULT rather than directly returning the
> results.
>
> Without this patch, positive values may be returned to elf_fdpic_map_file()
> and the following error handlings do not function as expected.
>
> 1.
> ret = elf_fdpic_map_file_constdisp_on_uclinux(params, file, mm);
> if (ret < 0)
> return ret;
> 2.
> ret = elf_fdpic_map_file_by_direct_mmap(params, file, mm);
> if (ret < 0)
> return ret;
>
> Signed-off-by: Takuya Yoshikawa <[email protected]>
> Signed-off-by: David Howells <[email protected]>
> Acked-by: Mike Frysinger <[email protected]>
> CC: Alexander Viro <[email protected]>
> CC: Andrew Morton <[email protected]>
> CC: Daisuke HATAYAMA <[email protected]>
> CC: Paul Mundt <[email protected]>
Acked-by: Paul Mundt <[email protected]>