[patch 32/51] exec: binfmt_misc: fix race between load_misc_binary() and kill_node()

akpm@xxxxxxxxxxxxxxxxxxxx · Tue, 03 Oct 2017 16:15:55 -0700

From: Oleg Nesterov <oleg@xxxxxxxxxx>
Subject: exec: binfmt_misc: fix race between load_misc_binary() and kill_node()

load_misc_binary() makes a local copy of fmt->interpreter under
entries_lock to avoid the race with kill_node() but this is not enough;
the whole Node can be freed after we drop entries_lock, not only the
->interpreter string.

Add dget/dput(fmt->dentry) to ensure bm_evict_inode() can't destroy/free
this Node.

Link: http://lkml.kernel.org/r/20170922143650.GA17227@xxxxxxxxxx
Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Ben Woodard <woodard@xxxxxxxxxx>
Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
Cc: Jim Foraker <foraker1@xxxxxxxx>
Cc: Travis Gummels <tgummels@xxxxxxxxxx>
Cc: <tdhooge@xxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/binfmt_misc.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff -puN fs/binfmt_misc.c~exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node fs/binfmt_misc.c

--- a/fs/binfmt_misc.c~exec-binfmt_misc-fix-race-between-load_misc_binary-and-kill_node
+++ a/fs/binfmt_misc.c
@@ -138,20 +138,23 @@ static int load_misc_binary(struct linux
 
 	retval = -ENOEXEC;
 	if (!enabled)
-		goto ret;
+		return retval;
 
 	/* to keep locking time low, we copy the interpreter string */
 	read_lock(&entries_lock);
 	fmt = check_file(bprm);
-	if (fmt)
+	if (fmt) {
+		dget(fmt->dentry);
 		strlcpy(iname, fmt->interpreter, BINPRM_BUF_SIZE);
+	}
 	read_unlock(&entries_lock);
 	if (!fmt)
-		goto ret;
+		return retval;
 
 	/* Need to be able to load the file after exec */
+	retval = -ENOENT;
 	if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
-		return -ENOENT;
+		goto ret;
 
 	if (!(fmt->flags & MISC_FMT_PRESERVE_ARGV0)) {
 		retval = remove_arg_zero(bprm);
@@ -238,6 +241,7 @@ static int load_misc_binary(struct linux
 		goto error;
 
 ret:
+	dput(fmt->dentry);
 	return retval;
 error:
 	if (fd_binary > 0)
_
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






