> @@ -1479,7 +1489,26 @@ static int do_execve_common(struct filen
>
> bprm->file = file;
> - bprm->filename = bprm->interp = filename->name;
> + if (fd == AT_FDCWD || filename->name[0] == '/') {
> + bprm->filename = filename->name;
> + } else {
> + if (filename->name[0] == '\0')
> + pathbuf = kasprintf(GFP_TEMPORARY, "/dev/fd/%d", fd);
> + else
> + pathbuf = kasprintf(GFP_TEMPORARY, "/dev/fd/%d/%s",
> + fd, filename->name);
> + if (!pathbuf) {
> + retval = -ENOMEM;
> + goto out_unmark;
> + }
> + /* Record that a name derived from an O_CLOEXEC fd will be
> + * inaccessible after exec. Relies on having exclusive access to
> + * current->files (due to unshare_files above). */
> + if (close_on_exec(fd, current->files->fdt))
> + bprm->interp_flags |= BINPRM_FLAGS_PATH_INACCESSIBLE;
> + bprm->filename = pathbuf;
+ }
+ bprm->interp = bprm->filename;
Not sure I understand this patch, will try to read later...
Just once question, don't we leak pathbuf if exec() succeeds?
OTOH, if it fails,
> out_free:
> free_bprm(bprm);
> + kfree(pathbuf);
Is it correct if we fail after bprm_change_interp() was called? It seems
that we can free interp == pathbuf twice?
Oleg.
On Fri, Nov 14, 2014 at 12:11 AM, Oleg Nesterov <[email protected]> wrote:
>> @@ -1479,7 +1489,26 @@ static int do_execve_common(struct filen
>>
>> bprm->file = file;
>> - bprm->filename = bprm->interp = filename->name;
>> + if (fd == AT_FDCWD || filename->name[0] == '/') {
>> + bprm->filename = filename->name;
>> + } else {
>> + if (filename->name[0] == '\0')
>> + pathbuf = kasprintf(GFP_TEMPORARY, "/dev/fd/%d", fd);
>> + else
>> + pathbuf = kasprintf(GFP_TEMPORARY, "/dev/fd/%d/%s",
>> + fd, filename->name);
>> + if (!pathbuf) {
>> + retval = -ENOMEM;
>> + goto out_unmark;
>> + }
>> + /* Record that a name derived from an O_CLOEXEC fd will be
>> + * inaccessible after exec. Relies on having exclusive access to
>> + * current->files (due to unshare_files above). */
>> + if (close_on_exec(fd, current->files->fdt))
>> + bprm->interp_flags |= BINPRM_FLAGS_PATH_INACCESSIBLE;
>> + bprm->filename = pathbuf;
> + }
> + bprm->interp = bprm->filename;
>
> Not sure I understand this patch, will try to read later...
>
> Just once question, don't we leak pathbuf if exec() succeeds?
Doh, yes. I was sure I'd run this through kmemleak too, although
the evidence in front of me now clearly implies I didn't ...
> OTOH, if it fails,
>
>> out_free:
>> free_bprm(bprm);
>> + kfree(pathbuf);
>
> Is it correct if we fail after bprm_change_interp() was called? It seems
> that we can free interp == pathbuf twice?
I think this is OK -- bprm_change_interp() changes bprm->interp to point to a
newly kstrdup'ed string, but leaves brpm->filename as pathbuf. The former
then gets freed in free_bprm() (because it differs from filename == pathbuf),
and pathbuf is freed on the line afterwards.
> Oleg.
>