diff options
| author | Dan Aloni <alonid@stratoscale.com> | 2013-09-30 16:45:02 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-09-30 17:31:01 -0400 |
| commit | 72023656961b8c81a168a7a6762d589339d0d7ec (patch) | |
| tree | df391a913b5dfd194924a1d1172ba5eed0c14560 /fs | |
| parent | 7393dc45f6ed5d3aba43b06d49eb3b15f1318906 (diff) | |
fs/binfmt_elf.c: prevent a coredump with a large vm_map_count from Oopsing
A high setting of max_map_count, and a process core-dumping with a large
enough vm_map_count could result in an NT_FILE note not being written,
and the kernel crashing immediately later because it has assumed
otherwise.
Reproduction of the oops-causing bug described here:
https://lkml.org/lkml/2013/8/30/50
Rge ussue originated in commit 2aa362c49c31 ("coredump: extend core dump
note section to contain file names of mapped file") from Oct 4, 2012.
This patch make that section optional in that case. fill_files_note()
should signify the error, and also let the info struct in
elf_core_dump() be zero-initialized so that we can check for the
optionally written note.
[akpm@linux-foundation.org: avoid abusing E2BIG, remove a couple of not-really-needed local variables]
[akpm@linux-foundation.org: fix sparse warning]
Signed-off-by: Dan Aloni <alonid@stratoscale.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Reported-by: Martin MOKREJS <mmokrejs@gmail.com>
Tested-by: Martin MOKREJS <mmokrejs@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/binfmt_elf.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 100edcc5e312..4c94a79991bb 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c | |||
| @@ -1413,7 +1413,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, | |||
| 1413 | * long file_ofs | 1413 | * long file_ofs |
| 1414 | * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL... | 1414 | * followed by COUNT filenames in ASCII: "FILE1" NUL "FILE2" NUL... |
| 1415 | */ | 1415 | */ |
| 1416 | static void fill_files_note(struct memelfnote *note) | 1416 | static int fill_files_note(struct memelfnote *note) |
| 1417 | { | 1417 | { |
| 1418 | struct vm_area_struct *vma; | 1418 | struct vm_area_struct *vma; |
| 1419 | unsigned count, size, names_ofs, remaining, n; | 1419 | unsigned count, size, names_ofs, remaining, n; |
| @@ -1428,11 +1428,11 @@ static void fill_files_note(struct memelfnote *note) | |||
| 1428 | names_ofs = (2 + 3 * count) * sizeof(data[0]); | 1428 | names_ofs = (2 + 3 * count) * sizeof(data[0]); |
| 1429 | alloc: | 1429 | alloc: |
| 1430 | if (size >= MAX_FILE_NOTE_SIZE) /* paranoia check */ | 1430 | if (size >= MAX_FILE_NOTE_SIZE) /* paranoia check */ |
| 1431 | goto err; | 1431 | return -EINVAL; |
| 1432 | size = round_up(size, PAGE_SIZE); | 1432 | size = round_up(size, PAGE_SIZE); |
| 1433 | data = vmalloc(size); | 1433 | data = vmalloc(size); |
| 1434 | if (!data) | 1434 | if (!data) |
| 1435 | goto err; | 1435 | return -ENOMEM; |
| 1436 | 1436 | ||
| 1437 | start_end_ofs = data + 2; | 1437 | start_end_ofs = data + 2; |
| 1438 | name_base = name_curpos = ((char *)data) + names_ofs; | 1438 | name_base = name_curpos = ((char *)data) + names_ofs; |
| @@ -1485,7 +1485,7 @@ static void fill_files_note(struct memelfnote *note) | |||
| 1485 | 1485 | ||
| 1486 | size = name_curpos - (char *)data; | 1486 | size = name_curpos - (char *)data; |
| 1487 | fill_note(note, "CORE", NT_FILE, size, data); | 1487 | fill_note(note, "CORE", NT_FILE, size, data); |
| 1488 | err: ; | 1488 | return 0; |
| 1489 | } | 1489 | } |
| 1490 | 1490 | ||
| 1491 | #ifdef CORE_DUMP_USE_REGSET | 1491 | #ifdef CORE_DUMP_USE_REGSET |
| @@ -1686,8 +1686,8 @@ static int fill_note_info(struct elfhdr *elf, int phdrs, | |||
| 1686 | fill_auxv_note(&info->auxv, current->mm); | 1686 | fill_auxv_note(&info->auxv, current->mm); |
| 1687 | info->size += notesize(&info->auxv); | 1687 | info->size += notesize(&info->auxv); |
| 1688 | 1688 | ||
| 1689 | fill_files_note(&info->files); | 1689 | if (fill_files_note(&info->files) == 0) |
| 1690 | info->size += notesize(&info->files); | 1690 | info->size += notesize(&info->files); |
| 1691 | 1691 | ||
| 1692 | return 1; | 1692 | return 1; |
| 1693 | } | 1693 | } |
| @@ -1719,7 +1719,8 @@ static int write_note_info(struct elf_note_info *info, | |||
| 1719 | return 0; | 1719 | return 0; |
| 1720 | if (first && !writenote(&info->auxv, file, foffset)) | 1720 | if (first && !writenote(&info->auxv, file, foffset)) |
| 1721 | return 0; | 1721 | return 0; |
| 1722 | if (first && !writenote(&info->files, file, foffset)) | 1722 | if (first && info->files.data && |
| 1723 | !writenote(&info->files, file, foffset)) | ||
| 1723 | return 0; | 1724 | return 0; |
| 1724 | 1725 | ||
| 1725 | for (i = 1; i < info->thread_notes; ++i) | 1726 | for (i = 1; i < info->thread_notes; ++i) |
| @@ -1806,6 +1807,7 @@ static int elf_dump_thread_status(long signr, struct elf_thread_status *t) | |||
| 1806 | 1807 | ||
| 1807 | struct elf_note_info { | 1808 | struct elf_note_info { |
| 1808 | struct memelfnote *notes; | 1809 | struct memelfnote *notes; |
| 1810 | struct memelfnote *notes_files; | ||
| 1809 | struct elf_prstatus *prstatus; /* NT_PRSTATUS */ | 1811 | struct elf_prstatus *prstatus; /* NT_PRSTATUS */ |
| 1810 | struct elf_prpsinfo *psinfo; /* NT_PRPSINFO */ | 1812 | struct elf_prpsinfo *psinfo; /* NT_PRPSINFO */ |
| 1811 | struct list_head thread_list; | 1813 | struct list_head thread_list; |
| @@ -1896,9 +1898,12 @@ static int fill_note_info(struct elfhdr *elf, int phdrs, | |||
| 1896 | 1898 | ||
| 1897 | fill_siginfo_note(info->notes + 2, &info->csigdata, siginfo); | 1899 | fill_siginfo_note(info->notes + 2, &info->csigdata, siginfo); |
| 1898 | fill_auxv_note(info->notes + 3, current->mm); | 1900 | fill_auxv_note(info->notes + 3, current->mm); |
| 1899 | fill_files_note(info->notes + 4); | 1901 | info->numnote = 4; |
| 1900 | 1902 | ||
| 1901 | info->numnote = 5; | 1903 | if (fill_files_note(info->notes + info->numnote) == 0) { |
| 1904 | info->notes_files = info->notes + info->numnote; | ||
| 1905 | info->numnote++; | ||
| 1906 | } | ||
| 1902 | 1907 | ||
| 1903 | /* Try to dump the FPU. */ | 1908 | /* Try to dump the FPU. */ |
| 1904 | info->prstatus->pr_fpvalid = elf_core_copy_task_fpregs(current, regs, | 1909 | info->prstatus->pr_fpvalid = elf_core_copy_task_fpregs(current, regs, |
| @@ -1960,8 +1965,9 @@ static void free_note_info(struct elf_note_info *info) | |||
| 1960 | kfree(list_entry(tmp, struct elf_thread_status, list)); | 1965 | kfree(list_entry(tmp, struct elf_thread_status, list)); |
| 1961 | } | 1966 | } |
| 1962 | 1967 | ||
| 1963 | /* Free data allocated by fill_files_note(): */ | 1968 | /* Free data possibly allocated by fill_files_note(): */ |
| 1964 | vfree(info->notes[4].data); | 1969 | if (info->notes_files) |
| 1970 | vfree(info->notes_files->data); | ||
| 1965 | 1971 | ||
| 1966 | kfree(info->prstatus); | 1972 | kfree(info->prstatus); |
| 1967 | kfree(info->psinfo); | 1973 | kfree(info->psinfo); |
| @@ -2044,7 +2050,7 @@ static int elf_core_dump(struct coredump_params *cprm) | |||
| 2044 | struct vm_area_struct *vma, *gate_vma; | 2050 | struct vm_area_struct *vma, *gate_vma; |
| 2045 | struct elfhdr *elf = NULL; | 2051 | struct elfhdr *elf = NULL; |
| 2046 | loff_t offset = 0, dataoff, foffset; | 2052 | loff_t offset = 0, dataoff, foffset; |
| 2047 | struct elf_note_info info; | 2053 | struct elf_note_info info = { }; |
| 2048 | struct elf_phdr *phdr4note = NULL; | 2054 | struct elf_phdr *phdr4note = NULL; |
| 2049 | struct elf_shdr *shdr4extnum = NULL; | 2055 | struct elf_shdr *shdr4extnum = NULL; |
| 2050 | Elf_Half e_phnum; | 2056 | Elf_Half e_phnum; |