From fab770844b26fca896840161281efd6dd578c9d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Feb 2016 14:20:12 -0800 Subject: [PATCH] 3.14-stable patches added patches: binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch --- ...bber-passed-executable-s-file-header.patch | 62 +++++++++++++++++++ queue-3.14/series | 1 + 2 files changed, 63 insertions(+) create mode 100644 queue-3.14/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch diff --git a/queue-3.14/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch b/queue-3.14/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch new file mode 100644 index 00000000000..51fee3d99c0 --- /dev/null +++ b/queue-3.14/binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch @@ -0,0 +1,62 @@ +From b582ef5c53040c5feef4c96a8f9585b6831e2441 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Mon, 26 Oct 2015 15:48:19 +0000 +Subject: binfmt_elf: Don't clobber passed executable's file header + +From: Maciej W. Rozycki + +commit b582ef5c53040c5feef4c96a8f9585b6831e2441 upstream. + +Do not clobber the buffer space passed from `search_binary_handler' and +originally preloaded by `prepare_binprm' with the executable's file +header by overwriting it with its interpreter's file header. Instead +keep the buffer space intact and directly use the data structure locally +allocated for the interpreter's file header, fixing a bug introduced in +2.1.14 with loadable module support (linux-mips.org commit beb11695 +[Import of Linux/MIPS 2.1.14], predating kernel.org repo's history). +Adjust the amount of data read from the interpreter's file accordingly. + +This was not an issue before loadable module support, because back then +`load_elf_binary' was executed only once for a given ELF executable, +whether the function succeeded or failed. + +With loadable module support supported and enabled, upon a failure of +`load_elf_binary' -- which may for example be caused by architecture +code rejecting an executable due to a missing hardware feature requested +in the file header -- a module load is attempted and then the function +reexecuted by `search_binary_handler'. With the executable's file +header replaced with its interpreter's file header the executable can +then be erroneously accepted in this subsequent attempt. + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_elf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -679,16 +679,16 @@ static int load_elf_binary(struct linux_ + */ + would_dump(bprm, interpreter); + +- retval = kernel_read(interpreter, 0, bprm->buf, +- BINPRM_BUF_SIZE); +- if (retval != BINPRM_BUF_SIZE) { ++ /* Get the exec headers */ ++ retval = kernel_read(interpreter, 0, ++ (void *)&loc->interp_elf_ex, ++ sizeof(loc->interp_elf_ex)); ++ if (retval != sizeof(loc->interp_elf_ex)) { + if (retval >= 0) + retval = -EIO; + goto out_free_dentry; + } + +- /* Get the exec headers */ +- loc->interp_elf_ex = *((struct elfhdr *)bprm->buf); + break; + } + elf_ppnt++; diff --git a/queue-3.14/series b/queue-3.14/series index cd665eadb8b..7ca119fb960 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -73,3 +73,4 @@ evm-use-crypto_memneq-for-digest-comparisons.patch crypto-user-lock-crypto_alg_list-on-alg-dump.patch fs-cache-increase-reference-of-parent-after-registering-netfs-success.patch fs-cache-don-t-override-netfs-s-primary_index-if-registering-failed.patch +binfmt_elf-don-t-clobber-passed-executable-s-file-header.patch -- 2.47.3