Syzkaller found an issue where an invalid interpreter pointer is
dereferenced in load_elf_binary()->allow_write_access(). Fix this by
jumping to a different label in the cleanup path.
This patch applies against the latest linux-next tree. I have not tested
that the patch addresses the issue, but it should, imho.
Signed-off-by: Nikitas Angelinas <nikitas.angelinas@xxxxxxxxx>
Reported-by: syzbot+0d1fcd7268b21baced4a@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP")
---
fs/binfmt_elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 51bc894..09e76b2 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
kfree(elf_interpreter);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
- goto out_free_dentry;
+ goto out_free_ph;
/*
* If the binary is not readable then enforce
--
2.10.0
