aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-05-10 16:38:25 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2008-05-16 17:23:05 -0400
commit08a6fac1c63233c87eec129938022f1a9a4d51f6 (patch)
tree4fd7a2a906cf5ca0a42b3b8cb30351465f0f6cee /fs
parent5f719558edf9c84bfbb1f7ad37e84c483282d09f (diff)
[PATCH] get rid of leak in compat_execve()
Even though copy_compat_strings() doesn't cache the pages, copy_strings_kernel() and stuff indirectly called by e.g. ->load_binary() is doing that, so we need to drop the cache contents in the end. [found by WANG Cong <wangcong@zeuux.org>] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r--fs/compat.c4
-rw-r--r--fs/exec.c12
2 files changed, 10 insertions, 6 deletions
diff --git a/fs/compat.c b/fs/compat.c
index 332a869d2c53..ed43e17a5dc6 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -1405,7 +1405,7 @@ int compat_do_execve(char * filename,
1405 /* execve success */ 1405 /* execve success */
1406 security_bprm_free(bprm); 1406 security_bprm_free(bprm);
1407 acct_update_integrals(current); 1407 acct_update_integrals(current);
1408 kfree(bprm); 1408 free_bprm(bprm);
1409 return retval; 1409 return retval;
1410 } 1410 }
1411 1411
@@ -1424,7 +1424,7 @@ out_file:
1424 } 1424 }
1425 1425
1426out_kfree: 1426out_kfree:
1427 kfree(bprm); 1427 free_bprm(bprm);
1428 1428
1429out_ret: 1429out_ret:
1430 return retval; 1430 return retval;
diff --git a/fs/exec.c b/fs/exec.c
index 1f8a24aa1f8b..3c2ba7ce11d4 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1251,6 +1251,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1251 1251
1252EXPORT_SYMBOL(search_binary_handler); 1252EXPORT_SYMBOL(search_binary_handler);
1253 1253
1254void free_bprm(struct linux_binprm *bprm)
1255{
1256 free_arg_pages(bprm);
1257 kfree(bprm);
1258}
1259
1254/* 1260/*
1255 * sys_execve() executes a new program. 1261 * sys_execve() executes a new program.
1256 */ 1262 */
@@ -1320,17 +1326,15 @@ int do_execve(char * filename,
1320 retval = search_binary_handler(bprm,regs); 1326 retval = search_binary_handler(bprm,regs);
1321 if (retval >= 0) { 1327 if (retval >= 0) {
1322 /* execve success */ 1328 /* execve success */
1323 free_arg_pages(bprm);
1324 security_bprm_free(bprm); 1329 security_bprm_free(bprm);
1325 acct_update_integrals(current); 1330 acct_update_integrals(current);
1326 kfree(bprm); 1331 free_bprm(bprm);
1327 if (displaced) 1332 if (displaced)
1328 put_files_struct(displaced); 1333 put_files_struct(displaced);
1329 return retval; 1334 return retval;
1330 } 1335 }
1331 1336
1332out: 1337out:
1333 free_arg_pages(bprm);
1334 if (bprm->security) 1338 if (bprm->security)
1335 security_bprm_free(bprm); 1339 security_bprm_free(bprm);
1336 1340
@@ -1344,7 +1348,7 @@ out_file:
1344 fput(bprm->file); 1348 fput(bprm->file);
1345 } 1349 }
1346out_kfree: 1350out_kfree:
1347 kfree(bprm); 1351 free_bprm(bprm);
1348 1352
1349out_files: 1353out_files:
1350 if (displaced) 1354 if (displaced)