diff options
author | Hugh Dickins <hugh@veritas.com> | 2009-03-28 19:16:03 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-03-28 20:30:00 -0400 |
commit | 53e9309e01277ec99c38e84e0ca16921287cf470 (patch) | |
tree | bc70d617e1898e5b0fdf161edafa1808ae8fa529 | |
parent | 07d43ba98621f08e252a48c96b258b4d572b0257 (diff) |
compat_do_execve should unshare_files
2.6.26's commit fd8328be874f4190a811c58cd4778ec2c74d2c05
"sanitize handling of shared descriptor tables in failing execve()"
moved the unshare_files() from flush_old_exec() and several binfmts
to the head of do_execve(); but forgot to make the same change to
compat_do_execve(), leaving a CLONE_FILES files_struct shared across
exec from a 32-bit process on a 64-bit kernel.
It's arguable whether the files_struct really ought to be unshared
across exec; but 2.6.1 made that so to stop the loading binary's fd
leaking into other threads, and a 32-bit process on a 64-bit kernel
ought to behave in the same way as 32 on 32 and 64 on 64.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | fs/compat.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/compat.c b/fs/compat.c index 5e374aad33f7..b543363dd625 100644 --- a/fs/compat.c +++ b/fs/compat.c | |||
@@ -1420,12 +1420,17 @@ int compat_do_execve(char * filename, | |||
1420 | { | 1420 | { |
1421 | struct linux_binprm *bprm; | 1421 | struct linux_binprm *bprm; |
1422 | struct file *file; | 1422 | struct file *file; |
1423 | struct files_struct *displaced; | ||
1423 | int retval; | 1424 | int retval; |
1424 | 1425 | ||
1426 | retval = unshare_files(&displaced); | ||
1427 | if (retval) | ||
1428 | goto out_ret; | ||
1429 | |||
1425 | retval = -ENOMEM; | 1430 | retval = -ENOMEM; |
1426 | bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); | 1431 | bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); |
1427 | if (!bprm) | 1432 | if (!bprm) |
1428 | goto out_ret; | 1433 | goto out_files; |
1429 | 1434 | ||
1430 | retval = mutex_lock_interruptible(¤t->cred_exec_mutex); | 1435 | retval = mutex_lock_interruptible(¤t->cred_exec_mutex); |
1431 | if (retval < 0) | 1436 | if (retval < 0) |
@@ -1487,6 +1492,8 @@ int compat_do_execve(char * filename, | |||
1487 | mutex_unlock(¤t->cred_exec_mutex); | 1492 | mutex_unlock(¤t->cred_exec_mutex); |
1488 | acct_update_integrals(current); | 1493 | acct_update_integrals(current); |
1489 | free_bprm(bprm); | 1494 | free_bprm(bprm); |
1495 | if (displaced) | ||
1496 | put_files_struct(displaced); | ||
1490 | return retval; | 1497 | return retval; |
1491 | 1498 | ||
1492 | out: | 1499 | out: |
@@ -1506,6 +1513,9 @@ out_unlock: | |||
1506 | out_free: | 1513 | out_free: |
1507 | free_bprm(bprm); | 1514 | free_bprm(bprm); |
1508 | 1515 | ||
1516 | out_files: | ||
1517 | if (displaced) | ||
1518 | reset_files_struct(displaced); | ||
1509 | out_ret: | 1519 | out_ret: |
1510 | return retval; | 1520 | return retval; |
1511 | } | 1521 | } |