The patch titled
Subject: exec: binfmt_misc: fix race between load_misc_binary() and kill_node()
has been added to the -mm tree. Its filename is
exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Oleg Nesterov <oleg@xxxxxxxxxx>
Subject: exec: binfmt_misc: fix race between load_misc_binary() and kill_node()
load_misc_binary() makes a local copy of fmt->interpreter under
entries_lock to avoid the race with kill_node() but this is not enough;
the whole Node can be freed after we drop entries_lock, not only the
->interpreter string.
Add dget/dput(fmt->dentry) to ensure bm_evict_inode() can't destroy/free
this Node.
Link: http://lkml.kernel.org/r/20170922143650.GA17227@xxxxxxxxxx
Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Ben Woodard <woodard@xxxxxxxxxx>
Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
Cc: Jim Foraker <foraker1@xxxxxxxx>
Cc: Travis Gummels <tgummels@xxxxxxxxxx>
Cc: <tdhooge@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/binfmt_misc.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff -puN fs/binfmt_misc.c~exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node fs/binfmt_misc.c
--- a/fs/binfmt_misc.c~exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node
+++ a/fs/binfmt_misc.c
@@ -138,20 +138,23 @@ static int load_misc_binary(struct linux
retval = -ENOEXEC;
if (!enabled)
- goto ret;
+ return retval;
/* to keep locking time low, we copy the interpreter string */
read_lock(&entries_lock);
fmt = check_file(bprm);
- if (fmt)
+ if (fmt) {
+ dget(fmt->dentry);
strlcpy(iname, fmt->interpreter, BINPRM_BUF_SIZE);
+ }
read_unlock(&entries_lock);
if (!fmt)
- goto ret;
+ return retval;
/* Need to be able to load the file after exec */
+ retval = -ENOENT;
if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
- return -ENOENT;
+ goto ret;
if (!(fmt->flags & MISC_FMT_PRESERVE_ARGV0)) {
retval = remove_arg_zero(bprm);
@@ -238,6 +241,7 @@ static int load_misc_binary(struct linux
goto error;
ret:
+ dput(fmt->dentry);
return retval;
error:
if (fd_binary > 0)
_
Patches currently in -mm which might be from oleg@xxxxxxxxxx are
exec-load_script-kill-the-onstack-interp-array.patch
exec-binfmt_misc-dont-nullify-node-dentry-in-kill_node.patch
exec-binfmt_misc-shift-filp_closeinterp_file-from-kill_node-to-bm_evict_inode.patch
exec-binfmt_misc-remove-the-confusing-e-interp_file-=-null-checks.patch
exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node.patch
exec-binfmt_misc-kill-the-onstack-iname-array.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
