Re: [PATCH (repost)] umh: fix refcount underflow in fork_usermode_blob().

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 27 Mar 2020 09:51:34 +0900 Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:

> Since free_bprm(bprm) always calls allow_write_access(bprm->file) and
> fput(bprm->file) if bprm->file is set to non-NULL, __do_execve_file()
> must call deny_write_access(file) and get_file(file) if called from
> do_execve_file() path. Otherwise, use-after-free access can happen at
> fput(file) in fork_usermode_blob().
> 
>   general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC
>   CPU: 3 PID: 4131 Comm: insmod Tainted: G           O      5.6.0-rc5+ #978
>   Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
>   RIP: 0010:fork_usermode_blob+0xaa/0x190

This is rather old code - what casued this to be observed now?  Some
unusual userspace behaviour?
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux