Signed-off-by: Nicolas Pitre <nico@xxxxxxxxxx> --- fs/binfmt_flat.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index fc0ee3ed5d..c85f8f1239 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -394,38 +394,41 @@ static void old_reloc(unsigned long rl) static const char *segment[] = { "TEXT", "DATA", "BSS", "*UNKNOWN*" }; #endif flat_v2_reloc_t r; - unsigned long *ptr; + unsigned long __user *ptr; + unsigned long val; r.value = rl; #if defined(CONFIG_COLDFIRE) - ptr = (unsigned long *) (current->mm->start_code + r.reloc.offset); + ptr = (unsigned long __user *)(current->mm->start_code + r.reloc.offset); #else - ptr = (unsigned long *) (current->mm->start_data + r.reloc.offset); + ptr = (unsigned long __user *)(current->mm->start_data + r.reloc.offset); #endif + __get_user(val, ptr); #ifdef DEBUG printk("Relocation of variable at DATASEG+%x " "(address %p, currently %lx) into segment %s\n", - r.reloc.offset, ptr, *ptr, segment[r.reloc.type]); + r.reloc.offset, ptr, val, segment[r.reloc.type]); #endif switch (r.reloc.type) { case OLD_FLAT_RELOC_TYPE_TEXT: - *ptr += current->mm->start_code; + val += current->mm->start_code; break; case OLD_FLAT_RELOC_TYPE_DATA: - *ptr += current->mm->start_data; + val += current->mm->start_data; break; case OLD_FLAT_RELOC_TYPE_BSS: - *ptr += current->mm->end_data; + val += current->mm->end_data; break; default: printk("BINFMT_FLAT: Unknown relocation type=%x\n", r.reloc.type); break; } + __put_user(val, ptr); #ifdef DEBUG - printk("Relocation became %lx\n", *ptr); + printk("Relocation became %lx\n", val); #endif } @@ -788,8 +791,13 @@ static int load_flat_file(struct linux_binprm * bprm, } } } else { - for (i=0; i < relocs; i++) - old_reloc(ntohl(reloc[i])); + for (i=0; i < relocs; i++) { + unsigned long relval; + if (get_user(relval, reloc + i)) + return -EFAULT; + relval = ntohl(relval); + old_reloc(relval); + } } flush_icache_range(start_code, end_code); -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html