From db873d02687f9c72c63f996b1cc7942e6ed5d82c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Jul 2019 16:17:39 +0200 Subject: [PATCH] 4.4-stable patches added patches: fs-binfmt_flat.c-make-load_flat_shared_library-work.patch --- ...c-make-load_flat_shared_library-work.patch | 86 +++++++++++++++++++ queue-4.4/series | 1 + 2 files changed, 87 insertions(+) create mode 100644 queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch diff --git a/queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch b/queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch new file mode 100644 index 00000000000..d3240f07eb4 --- /dev/null +++ b/queue-4.4/fs-binfmt_flat.c-make-load_flat_shared_library-work.patch @@ -0,0 +1,86 @@ +From 867bfa4a5fcee66f2b25639acae718e8b28b25a5 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 28 Jun 2019 12:06:46 -0700 +Subject: fs/binfmt_flat.c: make load_flat_shared_library() work + +From: Jann Horn + +commit 867bfa4a5fcee66f2b25639acae718e8b28b25a5 upstream. + +load_flat_shared_library() is broken: It only calls load_flat_file() if +prepare_binprm() returns zero, but prepare_binprm() returns the number of +bytes read - so this only happens if the file is empty. + +Instead, call into load_flat_file() if the number of bytes read is +non-negative. (Even if the number of bytes is zero - in that case, +load_flat_file() will see nullbytes and return a nice -ENOEXEC.) + +In addition, remove the code related to bprm creds and stop using +prepare_binprm() - this code is loading a library, not a main executable, +and it only actually uses the members "buf", "file" and "filename" of the +linux_binprm struct. Instead, call kernel_read() directly. + +Link: http://lkml.kernel.org/r/20190524201817.16509-1-jannh@google.com +Fixes: 287980e49ffc ("remove lots of IS_ERR_VALUE abuses") +Signed-off-by: Jann Horn +Cc: Alexander Viro +Cc: Kees Cook +Cc: Nicolas Pitre +Cc: Arnd Bergmann +Cc: Geert Uytterhoeven +Cc: Russell King +Cc: Greg Ungerer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_flat.c | 24 +++++++----------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +--- a/fs/binfmt_flat.c ++++ b/fs/binfmt_flat.c +@@ -808,9 +808,14 @@ err: + + static int load_flat_shared_library(int id, struct lib_info *libs) + { ++ /* ++ * This is a fake bprm struct; only the members "buf", "file" and ++ * "filename" are actually used. ++ */ + struct linux_binprm bprm; + int res; + char buf[16]; ++ loff_t pos = 0; + + memset(&bprm, 0, sizeof(bprm)); + +@@ -824,25 +829,10 @@ static int load_flat_shared_library(int + if (IS_ERR(bprm.file)) + return res; + +- bprm.cred = prepare_exec_creds(); +- res = -ENOMEM; +- if (!bprm.cred) +- goto out; +- +- /* We don't really care about recalculating credentials at this point +- * as we're past the point of no return and are dealing with shared +- * libraries. +- */ +- bprm.cred_prepared = 1; +- +- res = prepare_binprm(&bprm); +- +- if (!IS_ERR_VALUE(res)) ++ res = kernel_read(bprm.file, bprm.buf, BINPRM_BUF_SIZE, &pos); ++ if (res >= 0) + res = load_flat_file(&bprm, libs, id, NULL); + +- abort_creds(bprm.cred); +- +-out: + allow_write_access(bprm.file); + fput(bprm.file); + diff --git a/queue-4.4/series b/queue-4.4/series index e47efe0d4e4..500702e9bf3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,3 +1,4 @@ +fs-binfmt_flat.c-make-load_flat_shared_library-work.patch tracing-silence-gcc-9-array-bounds-warning.patch gcc-9-silence-address-of-packed-member-warning.patch usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch -- 2.47.2