+ invalid-return-value-of-execve-resulting-in-oopses.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Thu, 03 May 2007 13:04:40 -0700

The patch titled
     Invalid return value of execve() resulting in oopses
has been added to the -mm tree.  Its filename is
     invalid-return-value-of-execve-resulting-in-oopses.patch

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: Invalid return value of execve() resulting in oopses
From: Alexey Kuznetsov <alexey@xxxxxxxxxx>

When elf loader fails to map executable (due to memory shortage or because
binary is malformed), it can return 0.  Normally, this is invisible because
process is killed with SIGKILL and it never returns to user space.

But if exec() is called from kernel thread (hotplug, whatever)
consequences are more interesting and vary depending on architecture.

i386.   Nothing especially interesting, execve() just returns
        with "success"  :-)

x86_64. Fake zero frame is used on way to caller, RSP/RIP are loaded
        with zeros, ergo... double fault.

ia64.   Similar to i386, but r32...r95 are corrupted. Sometimes it
        oopses due to return to zero PC, sometimes it sees NaT in
        rXX and oopses due to NaT consumption.

Signed-off-by: Alexey Kuznetsov <alexey@xxxxxxxxxx>
Signed-off-by: Kirill Korotaev <dev@xxxxxxxxxx>
Signed-off-by: Pavel Emelianov <xemul@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/binfmt_elf.c |    3 +++
 1 files changed, 3 insertions(+)

diff -puN fs/binfmt_elf.c~invalid-return-value-of-execve-resulting-in-oopses fs/binfmt_elf.c

--- a/fs/binfmt_elf.c~invalid-return-value-of-execve-resulting-in-oopses
+++ a/fs/binfmt_elf.c
@@ -871,6 +871,8 @@ static int load_elf_binary(struct linux_
 				elf_prot, elf_flags);
 		if (BAD_ADDR(error)) {
 			send_sig(SIGKILL, current, 0);
+			retval = IS_ERR((void *)error) ?
+				PTR_ERR((void*)error) : -EINVAL;
 			goto out_free_dentry;
 		}
 
@@ -900,6 +902,7 @@ static int load_elf_binary(struct linux_
 		    TASK_SIZE - elf_ppnt->p_memsz < k) {
 			/* set_brk can never work. Avoid overflows. */
 			send_sig(SIGKILL, current, 0);
+			retval = -EINVAL;
 			goto out_free_dentry;
 		}
 
_

Patches currently in -mm which might be from alexey@xxxxxxxxxx are

invalid-return-value-of-execve-resulting-in-oopses.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




