Re: [PATCH] exec: do not pass invalid pointer to kfree() from free_bprm()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 05, 2024 at 02:13:44PM +0300, Dmitry Antipov wrote:
> Syzbot has reported the following BUG:
> 
> kernel BUG at arch/x86/mm/physaddr.c:23!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 2 UID: 0 PID: 5869 Comm: repro Not tainted 6.12.0-rc5-next-20241101-syzkaller #0
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
> RIP: 0010:__phys_addr+0x16a/0x170
> Code: 40 a8 7a 8e 4c 89 f6 4c 89 fa e8 b1 4d aa 03 e9 45 ff ff ff e8 a7 1a 52 00 90 0f 0b e8 9f 1a 52 00 90 0f 0b e8 97 1a 52 00 90 <0f> 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
> RSP: 0018:ffffc90002f7fda0 EFLAGS: 00010293
> RAX: ffffffff8143a369 RBX: 000000007ffffff2 RCX: ffff888106df5640
> RDX: 0000000000000000 RSI: 000000007ffffff2 RDI: 000000001fffffff
> RBP: 1ffff11020df6d09 R08: ffffffff8143a305 R09: 1ffffffff203a1f6
> R10: dffffc0000000000 R11: fffffbfff203a1f7 R12: dffffc0000000000
> R13: fffffffffffffff2 R14: 000000007ffffff2 R15: ffff88802bc12d58
> FS:  00007f01bd1a7600(0000) GS:ffff888062900000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: fffffffffffffff8 CR3: 0000000011f80000 CR4: 00000000000006f0
> Call Trace:
>  <TASK>
>  ? __die_body+0x5f/0xb0
>  ? die+0x9e/0xc0
>  ? do_trap+0x15a/0x3a0
>  ? __phys_addr+0x16a/0x170
>  ? do_error_trap+0x1dc/0x2c0
>  ? __phys_addr+0x16a/0x170
>  ? __pfx_do_error_trap+0x10/0x10
>  ? handle_invalid_op+0x34/0x40
>  ? __phys_addr+0x16a/0x170
>  ? exc_invalid_op+0x38/0x50
>  ? asm_exc_invalid_op+0x1a/0x20
>  ? __phys_addr+0x105/0x170
>  ? __phys_addr+0x169/0x170
>  ? __phys_addr+0x16a/0x170
>  ? free_bprm+0x2b5/0x300
>  kfree+0x71/0x420
>  ? free_bprm+0x295/0x300
>  free_bprm+0x2b5/0x300
>  do_execveat_common+0x3ae/0x750
>  __x64_sys_execveat+0xc4/0xe0
>  do_syscall_64+0xf3/0x230
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f01bd0c36a9
> Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
> RSP: 002b:00007fff034da398 EFLAGS: 00000246 ORIG_RAX: 0000000000000142
> RAX: ffffffffffffffda RBX: 0000000000403e00 RCX: 00007f01bd0c36a9
> RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000004
> RBP: 0000000000000001 R08: 0000000000001000 R09: 0000000000403e00
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff034da4b8
> R13: 00007fff034da4c8 R14: 0000000000401050 R15: 00007f01bd1dca80
>  </TASK>
> 
> Since 'bprm_add_fixup_comm()' may set 'bprm->argv0' to 'ERR_PTR()',
> errno-lookalike invalid pointer should not be passed to 'kfree()'.
> 
> Reported-by: syzbot+03e1af5c332f7e0eb84b@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=03e1af5c332f7e0eb84b
> Fixes: 7afad450c998 ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case")
> Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
> ---
>  fs/exec.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index ef18eb0ea5b4..df70ed8e36fe 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1496,7 +1496,8 @@ static void free_bprm(struct linux_binprm *bprm)
>  	if (bprm->interp != bprm->filename)
>  		kfree(bprm->interp);
>  	kfree(bprm->fdpath);
> -	kfree(bprm->argv0);
> +	if (!IS_ERR(bprm->argv0))
> +		kfree(bprm->argv0);
>  	kfree(bprm);
>  }

It's better to avoid setting bprm->argv0 if strndup_user() fails.

diff --git a/fs/exec.c b/fs/exec.c
index ef18eb0ea5b4..9380e166eff5 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1504,6 +1504,7 @@ static int bprm_add_fixup_comm(struct linux_binprm *bprm,
 			       struct user_arg_ptr argv)
 {
 	const char __user *p = get_user_arg_ptr(argv, 0);
+	char *argv0;
 
 	/*
 	 * If p == NULL, let's just fall back to fdpath.
@@ -1511,10 +1512,11 @@ static int bprm_add_fixup_comm(struct linux_binprm *bprm,
 	if (!p)
 		return 0;
 
-	bprm->argv0 = strndup_user(p, MAX_ARG_STRLEN);
-	if (IS_ERR(bprm->argv0))
-		return PTR_ERR(bprm->argv0);
+	argv0 = strndup_user(p, MAX_ARG_STRLEN);
+	if (IS_ERR(argv0))
+		return PTR_ERR(argv0);
 
+	bprm->argv0 = argv0;
 	return 0;
 }
 
-- 
  Kiryl Shutsemau / Kirill A. Shutemov




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux