4.4-stable patches

added patches:
	fs-binfmt_flat.c-make-load_flat_shared_library-work.patch

diff --git a/queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch b/queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch
new file mode 100644 (file)
index 0000000..d3240f0
--- /dev/null
+++ b/queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch
@@ -0,0 +1,86 @@
+From 867bfa4a5fcee66f2b25639acae718e8b28b25a5 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 28 Jun 2019 12:06:46 -0700
+Subject: fs/binfmt_flat.c: make load_flat_shared_library() work
+
+From: Jann Horn <jannh@google.com>
+
+commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream.
+
+load_flat_shared_library() is broken: It only calls load_flat_file() if
+prepare_binprm() returns zero, but prepare_binprm() returns the number of
+bytes read - so this only happens if the file is empty.
+
+Instead, call into load_flat_file() if the number of bytes read is
+non-negative. (Even if the number of bytes is zero - in that case,
+load_flat_file() will see nullbytes and return a nice -ENOEXEC.)
+
+In addition, remove the code related to bprm creds and stop using
+prepare_binprm() - this code is loading a library, not a main executable,
+and it only actually uses the members "buf", "file" and "filename" of the
+linux_binprm struct. Instead, call kernel_read() directly.
+
+Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com
+Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses")
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Greg Ungerer <gerg@linux-m68k.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_flat.c |   24 +++++++-----------------
+ 1 file changed, 7 insertions(+), 17 deletions(-)
+
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -808,9 +808,14 @@ err:
+ 
+ static int load_flat_shared_library(int id, struct lib_info *libs)
+ {
++      /*
++       * This is a fake bprm struct; only the members "buf", "file" and
++       * "filename" are actually used.
++       */
+       struct linux_binprm bprm;
+       int res;
+       char buf[16];
++      loff_t pos = 0;
+ 
+       memset(&bprm, 0, sizeof(bprm));
+ 
+@@ -824,25 +829,10 @@ static int load_flat_shared_library(int
+       if (IS_ERR(bprm.file))
+               return res;
+ 
+-      bprm.cred = prepare_exec_creds();
+-      res = -ENOMEM;
+-      if (!bprm.cred)
+-              goto out;
+-
+-      /* We don't really care about recalculating credentials at this point
+-       * as we're past the point of no return and are dealing with shared
+-       * libraries.
+-       */
+-      bprm.cred_prepared = 1;
+-
+-      res = prepare_binprm(&bprm);
+-
+-      if (!IS_ERR_VALUE(res))
++      res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos);
++      if (res >= 0)
+               res = load_flat_file(&bprm, libs, id, NULL);
+ 
+-      abort_creds(bprm.cred);
+-
+-out:
+       allow_write_access(bprm.file);
+       fput(bprm.file);
+ 

diff --git a/queue-4.4/series b/queue-4.4/series
index e47efe0d4e4952faa94d1a1b051e67e0b2131ef8..500702e9bf3803f1270dea236b9f3f458f168c18 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,3 +1,4 @@
+fs-binfmt_flat.c-make-load_flat_shared_library-work.patch
 tracing-silence-gcc-9-array-bounds-warning.patch
 gcc-9-silence-address-of-packed-member-warning.patch
 usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch