Re: Kernel panic because of wrong contents in core_pattern

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 15, 2019 at 02:01:55PM +0100, Dietmar Hahn wrote:

> Later a user tool dumped with SIGSEGV and the linux system crashed.
> I investigated the crash dump and found the cause.
> 
> Via format_corename() in fs/coredump.c the helper_argv[] with 3 entries is
> created and helper_argv[0] == "" (because of the ' ' after the '|')
> ispipe is set to 1.
> Later in call_usermodehelper_setup():
>   sub_info->path = path;  == helper_argv[0] == ""
> This leads in call_usermodehelper_exec() to:
>   if (strlen(sub_info->path) == 0)
>                 goto out;
> with a return value of 0.
> But no pipe is created and thus cprm.file == NULL.
> This leads in file_start_write() to the panic because of dereferencing
>  file_inode(file)->i_mode)
> 
> I'am not sure what's the best way to fix this so I've no patch.
> Thanks.

Check in the caller of format_corename() for **argv being '\0' and fail
if it is?  I mean, turn that
                if (ispipe < 0) {
                        printk(KERN_WARNING "format_corename failed\n");
                        printk(KERN_WARNING "Aborting core\n");
                        goto fail_unlock;
                }   
in there into
		if (ispipe < 0 || !**argv) {
                        printk(KERN_WARNING "format_corename failed\n");
                        printk(KERN_WARNING "Aborting core\n");
                        goto fail_unlock;
                }




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux