diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-05-10 16:38:25 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-05-16 17:23:05 -0400 |
commit | 08a6fac1c63233c87eec129938022f1a9a4d51f6 (patch) | |
tree | 4fd7a2a906cf5ca0a42b3b8cb30351465f0f6cee /fs | |
parent | 5f719558edf9c84bfbb1f7ad37e84c483282d09f (diff) |
[PATCH] get rid of leak in compat_execve()
Even though copy_compat_strings() doesn't cache the pages,
copy_strings_kernel() and stuff indirectly called by e.g.
->load_binary() is doing that, so we need to drop the
cache contents in the end.
[found by WANG Cong <wangcong@zeuux.org>]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/compat.c | 4 | ||||
-rw-r--r-- | fs/exec.c | 12 |
2 files changed, 10 insertions, 6 deletions
diff --git a/fs/compat.c b/fs/compat.c index 332a869d2c53..ed43e17a5dc6 100644 --- a/fs/compat.c +++ b/fs/compat.c | |||
@@ -1405,7 +1405,7 @@ int compat_do_execve(char * filename, | |||
1405 | /* execve success */ | 1405 | /* execve success */ |
1406 | security_bprm_free(bprm); | 1406 | security_bprm_free(bprm); |
1407 | acct_update_integrals(current); | 1407 | acct_update_integrals(current); |
1408 | kfree(bprm); | 1408 | free_bprm(bprm); |
1409 | return retval; | 1409 | return retval; |
1410 | } | 1410 | } |
1411 | 1411 | ||
@@ -1424,7 +1424,7 @@ out_file: | |||
1424 | } | 1424 | } |
1425 | 1425 | ||
1426 | out_kfree: | 1426 | out_kfree: |
1427 | kfree(bprm); | 1427 | free_bprm(bprm); |
1428 | 1428 | ||
1429 | out_ret: | 1429 | out_ret: |
1430 | return retval; | 1430 | return retval; |
@@ -1251,6 +1251,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | |||
1251 | 1251 | ||
1252 | EXPORT_SYMBOL(search_binary_handler); | 1252 | EXPORT_SYMBOL(search_binary_handler); |
1253 | 1253 | ||
1254 | void free_bprm(struct linux_binprm *bprm) | ||
1255 | { | ||
1256 | free_arg_pages(bprm); | ||
1257 | kfree(bprm); | ||
1258 | } | ||
1259 | |||
1254 | /* | 1260 | /* |
1255 | * sys_execve() executes a new program. | 1261 | * sys_execve() executes a new program. |
1256 | */ | 1262 | */ |
@@ -1320,17 +1326,15 @@ int do_execve(char * filename, | |||
1320 | retval = search_binary_handler(bprm,regs); | 1326 | retval = search_binary_handler(bprm,regs); |
1321 | if (retval >= 0) { | 1327 | if (retval >= 0) { |
1322 | /* execve success */ | 1328 | /* execve success */ |
1323 | free_arg_pages(bprm); | ||
1324 | security_bprm_free(bprm); | 1329 | security_bprm_free(bprm); |
1325 | acct_update_integrals(current); | 1330 | acct_update_integrals(current); |
1326 | kfree(bprm); | 1331 | free_bprm(bprm); |
1327 | if (displaced) | 1332 | if (displaced) |
1328 | put_files_struct(displaced); | 1333 | put_files_struct(displaced); |
1329 | return retval; | 1334 | return retval; |
1330 | } | 1335 | } |
1331 | 1336 | ||
1332 | out: | 1337 | out: |
1333 | free_arg_pages(bprm); | ||
1334 | if (bprm->security) | 1338 | if (bprm->security) |
1335 | security_bprm_free(bprm); | 1339 | security_bprm_free(bprm); |
1336 | 1340 | ||
@@ -1344,7 +1348,7 @@ out_file: | |||
1344 | fput(bprm->file); | 1348 | fput(bprm->file); |
1345 | } | 1349 | } |
1346 | out_kfree: | 1350 | out_kfree: |
1347 | kfree(bprm); | 1351 | free_bprm(bprm); |
1348 | 1352 | ||
1349 | out_files: | 1353 | out_files: |
1350 | if (displaced) | 1354 | if (displaced) |