diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-05-10 16:38:25 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-05-16 17:23:05 -0400 |
commit | 08a6fac1c63233c87eec129938022f1a9a4d51f6 (patch) | |
tree | 4fd7a2a906cf5ca0a42b3b8cb30351465f0f6cee | |
parent | 5f719558edf9c84bfbb1f7ad37e84c483282d09f (diff) | |
download | lwn-08a6fac1c63233c87eec129938022f1a9a4d51f6.tar.gz lwn-08a6fac1c63233c87eec129938022f1a9a4d51f6.zip |
[PATCH] get rid of leak in compat_execve()
Even though copy_compat_strings() doesn't cache the pages,
copy_strings_kernel() and stuff indirectly called by e.g.
->load_binary() is doing that, so we need to drop the
cache contents in the end.
[found by WANG Cong <wangcong@zeuux.org>]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/compat.c | 4 | ||||
-rw-r--r-- | fs/exec.c | 12 | ||||
-rw-r--r-- | include/linux/binfmts.h | 1 |
3 files changed, 11 insertions, 6 deletions
diff --git a/fs/compat.c b/fs/compat.c index 332a869d2c53..ed43e17a5dc6 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -1405,7 +1405,7 @@ int compat_do_execve(char * filename, /* execve success */ security_bprm_free(bprm); acct_update_integrals(current); - kfree(bprm); + free_bprm(bprm); return retval; } @@ -1424,7 +1424,7 @@ out_file: } out_kfree: - kfree(bprm); + free_bprm(bprm); out_ret: return retval; diff --git a/fs/exec.c b/fs/exec.c index 1f8a24aa1f8b..3c2ba7ce11d4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1251,6 +1251,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); +void free_bprm(struct linux_binprm *bprm) +{ + free_arg_pages(bprm); + kfree(bprm); +} + /* * sys_execve() executes a new program. */ @@ -1320,17 +1326,15 @@ int do_execve(char * filename, retval = search_binary_handler(bprm,regs); if (retval >= 0) { /* execve success */ - free_arg_pages(bprm); security_bprm_free(bprm); acct_update_integrals(current); - kfree(bprm); + free_bprm(bprm); if (displaced) put_files_struct(displaced); return retval; } out: - free_arg_pages(bprm); if (bprm->security) security_bprm_free(bprm); @@ -1344,7 +1348,7 @@ out_file: fput(bprm->file); } out_kfree: - kfree(bprm); + free_bprm(bprm); out_files: if (displaced) diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index b512e48f6d8e..ee0ed48e8348 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -99,6 +99,7 @@ extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm); extern void compute_creds(struct linux_binprm *binprm); extern int do_coredump(long signr, int exit_code, struct pt_regs * regs); extern int set_binfmt(struct linux_binfmt *new); +extern void free_bprm(struct linux_binprm *); #endif /* __KERNEL__ */ #endif /* _LINUX_BINFMTS_H */ |