summaryrefslogtreecommitdiff
path: root/fs/exec.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2018-03-09 11:30:20 -0800
committerJames Morris <james.morris@microsoft.com>2018-03-19 15:49:32 +1100
commit7bd698b3c04e61ee9e03d4c2a55003f75df14dca (patch)
treed15e529bab47370611aa871465662775f9798027 /fs/exec.c
parent6b4f3d01052a479c7ebbe99d52a663558dc1be2a (diff)
downloadlwn-7bd698b3c04e61ee9e03d4c2a55003f75df14dca.tar.gz
lwn-7bd698b3c04e61ee9e03d4c2a55003f75df14dca.zip
exec: Set file unwritable before LSM check
The LSM check should happen after the file has been confirmed to be unchanging. Without this, we could have a race between the Time of Check (the call to security_kernel_read_file() which could read the file and make access policy decisions) and the Time of Use (starting with kernel_read_file()'s reading of the file contents). In theory, file contents could change between the two. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'fs/exec.c')
-rw-r--r--fs/exec.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 7eb8d21bcab9..a919a827d181 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -895,13 +895,13 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
return -EINVAL;
- ret = security_kernel_read_file(file, id);
+ ret = deny_write_access(file);
if (ret)
return ret;
- ret = deny_write_access(file);
+ ret = security_kernel_read_file(file, id);
if (ret)
- return ret;
+ goto out;
i_size = i_size_read(file_inode(file));
if (max_size > 0 && i_size > max_size) {