• Heiko Carstens's avatar
    exec: fix use-after-free bug in setup_new_exec() · 96e02d15
    Heiko Carstens authored
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    Reported-by: default avatarSebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    96e02d15
exec.c 52.7 KB