do_coredump() accesses helper_argv[0] without checking helper_argv != NULL.
Though, likely helper_argv != NULL.
Below versions have this problem.
2.6.24.7
2.6.25.20
2.6.26.8
2.6.27.10
2.6.28-rc9
mmotm 2008-12-22-16-14
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
fs/exec.c | 5 +++++
1 file changed, 5 insertions(+)
--- linux-2.6.28-rc9-mm1.orig/fs/exec.c
+++ linux-2.6.28-rc9-mm1/fs/exec.c
@@ -1809,10 +1809,15 @@ int do_coredump(long signr, int exit_cod
if ((!ispipe) && (core_limit < binfmt->min_coredump))
goto fail_unlock;
if (ispipe) {
helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc);
+ if (!helper_argv) {
+ printk(KERN_WARNING "%s failed to allocate memory\n",
+ __func__);
+ goto fail_unlock;
+ }
/* Terminate the string before the first option */
delimit = strchr(corename, ' ');
if (delimit)
*delimit = '\0';
delimit = strrchr(helper_argv[0], '/');
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
