This is a note to let you know that I've just added the patch titled exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001 From: Max Filippov <jcmvbkbc@xxxxxxxxx> Date: Wed, 20 Mar 2024 11:26:07 -0700 Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() From: Max Filippov <jcmvbkbc@xxxxxxxxx> commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream. In NOMMU kernel the value of linux_binprm::p is the offset inside the temporary program arguments array maintained in separate pages in the linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p thus must be adjusted when that array is copied to the user stack. Without that adjustment the value passed by the NOMMU kernel to the ELF program in the AT_EXECFN entry of the aux array doesn't make any sense and it may break programs that try to access memory pointed to by that entry. Adjust linux_binprm::exec before the successful return from the transfer_args_to_stack(). Cc: <stable@xxxxxxxxxxxxxxx> Fixes: b6a2fea39318 ("mm: variable length argument support") Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE") Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx> Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@xxxxxxxxx Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/exec.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/exec.c +++ b/fs/exec.c @@ -888,6 +888,7 @@ int transfer_args_to_stack(struct linux_ goto out; } + bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE; *sp_location = sp; out: Patches currently in stable-queue which might be from jcmvbkbc@xxxxxxxxx are queue-5.10/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch