summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-05-10 16:38:25 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2008-05-16 17:23:05 -0400
commit08a6fac1c63233c87eec129938022f1a9a4d51f6 (patch)
tree4fd7a2a906cf5ca0a42b3b8cb30351465f0f6cee
parent5f719558edf9c84bfbb1f7ad37e84c483282d09f (diff)
downloadlwn-08a6fac1c63233c87eec129938022f1a9a4d51f6.tar.gz
lwn-08a6fac1c63233c87eec129938022f1a9a4d51f6.zip
[PATCH] get rid of leak in compat_execve()
Even though copy_compat_strings() doesn't cache the pages, copy_strings_kernel() and stuff indirectly called by e.g. ->load_binary() is doing that, so we need to drop the cache contents in the end. [found by WANG Cong <wangcong@zeuux.org>] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/compat.c4
-rw-r--r--fs/exec.c12
-rw-r--r--include/linux/binfmts.h1
3 files changed, 11 insertions, 6 deletions
diff --git a/fs/compat.c b/fs/compat.c
index 332a869d2c53..ed43e17a5dc6 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -1405,7 +1405,7 @@ int compat_do_execve(char * filename,
/* execve success */
security_bprm_free(bprm);
acct_update_integrals(current);
- kfree(bprm);
+ free_bprm(bprm);
return retval;
}
@@ -1424,7 +1424,7 @@ out_file:
}
out_kfree:
- kfree(bprm);
+ free_bprm(bprm);
out_ret:
return retval;
diff --git a/fs/exec.c b/fs/exec.c
index 1f8a24aa1f8b..3c2ba7ce11d4 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1251,6 +1251,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
EXPORT_SYMBOL(search_binary_handler);
+void free_bprm(struct linux_binprm *bprm)
+{
+ free_arg_pages(bprm);
+ kfree(bprm);
+}
+
/*
* sys_execve() executes a new program.
*/
@@ -1320,17 +1326,15 @@ int do_execve(char * filename,
retval = search_binary_handler(bprm,regs);
if (retval >= 0) {
/* execve success */
- free_arg_pages(bprm);
security_bprm_free(bprm);
acct_update_integrals(current);
- kfree(bprm);
+ free_bprm(bprm);
if (displaced)
put_files_struct(displaced);
return retval;
}
out:
- free_arg_pages(bprm);
if (bprm->security)
security_bprm_free(bprm);
@@ -1344,7 +1348,7 @@ out_file:
fput(bprm->file);
}
out_kfree:
- kfree(bprm);
+ free_bprm(bprm);
out_files:
if (displaced)
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index b512e48f6d8e..ee0ed48e8348 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -99,6 +99,7 @@ extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm);
extern void compute_creds(struct linux_binprm *binprm);
extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
extern int set_binfmt(struct linux_binfmt *new);
+extern void free_bprm(struct linux_binprm *);
#endif /* __KERNEL__ */
#endif /* _LINUX_BINFMTS_H */