• Kees Cook's avatar
    binfmt_elf: safely increment argv pointers · 67c6777a
    Kees Cook authored
    When building the argv/envp pointers, the envp is needlessly
    pre-incremented instead of just continuing after the argv pointers are
    finished.  In some (likely impossible) race where the strings could be
    changed from userspace between copy_strings() and here, it might be
    possible to confuse the envp position.  Instead, just use sp like
    everything else.
    
    Link: http://lkml.kernel.org/r/20170622173838.GA43308@beastSigned-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Daniel Micay <danielmicay@gmail.com>
    Cc: Qualys Security Advisory <qsa@qualys.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
    Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    67c6777a
binfmt_elf.c 62.9 KB