Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp897785ybi; Fri, 24 May 2019 13:20:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqyVk2RhNFjV7FxM2MuA6ZHaZRpoH8v7GXUqERIlSrpn52na7fTOkWd7zi45tRLPztkNNlbV X-Received: by 2002:aa7:9ab0:: with SMTP id x16mr106704360pfi.201.1558729211773; Fri, 24 May 2019 13:20:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558729211; cv=none; d=google.com; s=arc-20160816; b=ApmAy2kZeCVyMgkot2loh5bej0ebJom/IYv40VT5tj2ZA6Wn3GzTbEKolrndxjipRN 0lHG/hVQmSOuBN6oS0A0/af/an2kktvnZWGDqCuFDSTCBg+OlCyeNEninPrM37RR6HUg lYl8Cccb/0yrYYizQ0uzW060MCzzOaNId/ouh58LkpL+VmVaNUihcZigFxvdoMK1lcal 9QLTpE8t7xjYYJLS7ChMCB0Md0mdCcn+YBm7kzWIvAE0sZ0jihQvhU/SlQq8VKLHo5ar BfHipoP3qDRYAr3Sue0mUMuhdOhHyB/Vg0wIN29vn1d9y+Qd9LkjsoZAXeY4NsLWIY7q i4cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=kiqJqxPa9FMe/un09kYlU9XPk6LJGKycCrLcq9tmZfQ=; b=OWppcTVfB817H+Je/J4ecnjV/EixLNUloibaqRdXbCI+vCQe/t6PL+DI5mNbwDh97H En1xzt0V3PtO83h8BPeteS9ftbmc+eN9+6r6Ye799TtRpjh7XFYyknrUxpABYlPPUwbk Y7N3/4qicH9sLKMXu/rQ7FYNJxrWCLRFT9nyOhNCEspm2Sx6wFHbqSYFOq3m+HGBk0Ti PuGSI7szHGpPcca+egAAZk5F3loH8oQcMzMJuhg/kaQC6wUlucEQDRYCcXl95/xPMriE 6uraAxknaEqUZtr+kMtKcPDTXCndIaohKraB2fmGBqvi2POhtONunX6vYJ5frhY7QGlN DpqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Anfhow4o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d197si5466135pga.110.2019.05.24.13.19.55; Fri, 24 May 2019 13:20:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Anfhow4o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404098AbfEXUSk (ORCPT + 99 others); Fri, 24 May 2019 16:18:40 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:55379 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403923AbfEXUSj (ORCPT ); Fri, 24 May 2019 16:18:39 -0400 Received: by mail-ot1-f73.google.com with SMTP id f18so5004938otf.22 for ; Fri, 24 May 2019 13:18:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=kiqJqxPa9FMe/un09kYlU9XPk6LJGKycCrLcq9tmZfQ=; b=Anfhow4oytGvhechQ9zPhynVUXijYqC90xGhkZDEgzZrQtziN47vmJAFkY94UCCIlA E3qo07I2DuK8VltI8krl/Mr380pl9cVobAYKmPCQ8fX8j1oOllILv+h8K5OlKVThjhQF TYSW7SHHMtlyDYgMrLILBQWOFLnGHQqi59qGRQlissn8Zrdz1UcQTFNRTRMWTzhda2kY jhmhOf2/lrgpO2q1kI6LDYQ42Y1PjL1IOMK1qscDlGQghyyI22DkZpOb+IdpvJWvkhHt aZVl3QpJRqrdcWDJ+9apVpJxVpnt7P5DLhApX2wc2H+XwVkS1Ap2zKuruVCdYtnN/Yas ptng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=kiqJqxPa9FMe/un09kYlU9XPk6LJGKycCrLcq9tmZfQ=; b=MVROEqnyVyHgVZ1uKLNrXd7GD0/DG6/KC9FdXuzg9Ae4X3onEWG1l9cW8DOPbSX4pC XuXswjuR6FnZNBzd8IR5CLdP3IlAVBInmDsTV6kyDL2orRnByuZw1KSkDebNmOWdl/X+ 3/vBjeP65HTO5IsdpO/5ETgAz87By+VRXCUgQTPwWP1XMtVAqxiReAxBaqI9aRR1NPa+ CkMqZyp1vTvUDyOjKjdWUxStq14KfIiYuEbkqRQawiob3f2QcCQpMO5hwPthyZJe43KM BQx5g5zK2YQG65uUDIGS/N490MYWlncxg+WjBu5NSlQXkSKJ+CoT2sQLNky96LddWxFu m6ww== X-Gm-Message-State: APjAAAXkYCVMhwGZQYbpXIaacuofLI6aLFnm1yg5QW1G/KUkh0RlA/W3 8JHGYwMnmgmDlKLprc05V7rVrgDkZA== X-Received: by 2002:a9d:7987:: with SMTP id h7mr2154729otm.284.1558729118905; Fri, 24 May 2019 13:18:38 -0700 (PDT) Date: Fri, 24 May 2019 22:18:17 +0200 Message-Id: <20190524201817.16509-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.22.0.rc1.257.g3120a18244-goog Subject: [PATCH] binfmt_flat: make load_flat_shared_library() work From: Jann Horn To: Andrew Morton , jannh@google.com Cc: Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Kees Cook , Nicolas Pitre , Arnd Bergmann , Geert Uytterhoeven , linux-m68k@lists.linux-m68k.org, Russell King , linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org load_flat_shared_library() is broken: It only calls load_flat_file() if prepare_binprm() returns zero, but prepare_binprm() returns the number of bytes read - so this only happens if the file is empty. Instead, call into load_flat_file() if the number of bytes read is non-negative. (Even if the number of bytes is zero - in that case, load_flat_file() will see nullbytes and return a nice -ENOEXEC.) In addition, remove the code related to bprm creds and stop using prepare_binprm() - this code is loading a library, not a main executable, and it only actually uses the members "buf", "file" and "filename" of the linux_binprm struct. Instead, call kernel_read() directly. Cc: stable@vger.kernel.org Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") Signed-off-by: Jann Horn --- I only found the bug by looking at the code, I have not verified its existence at runtime. Also, this patch is compile-tested only. It would be nice if someone who works with nommu Linux could have a look at this patch. akpm's tree is the right one for this patch, right? fs/binfmt_flat.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index 82a48e830018..e4b59e76afb0 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -856,9 +856,14 @@ static int load_flat_file(struct linux_binprm *bprm, static int load_flat_shared_library(int id, struct lib_info *libs) { + /* + * This is a fake bprm struct; only the members "buf", "file" and + * "filename" are actually used. + */ struct linux_binprm bprm; int res; char buf[16]; + loff_t pos = 0; memset(&bprm, 0, sizeof(bprm)); @@ -872,25 +877,11 @@ static int load_flat_shared_library(int id, struct lib_info *libs) if (IS_ERR(bprm.file)) return res; - bprm.cred = prepare_exec_creds(); - res = -ENOMEM; - if (!bprm.cred) - goto out; - - /* We don't really care about recalculating credentials at this point - * as we're past the point of no return and are dealing with shared - * libraries. - */ - bprm.called_set_creds = 1; + res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); - res = prepare_binprm(&bprm); - - if (!res) + if (res >= 0) res = load_flat_file(&bprm, libs, id, NULL); - abort_creds(bprm.cred); - -out: allow_write_access(bprm.file); fput(bprm.file); -- 2.22.0.rc1.257.g3120a18244-goog