[v2,10/10] binfmt_flat: allow compressed flat binary format to work on MMU systems

Commit Message

Nicolas Pitre July 18, 2016, 3:31 a.m. UTC

Let's take the simple and obvious approach by decompressing the binary
into a kernel buffer and then copying it to user space.  Those who are
looking for more performance on a MMU system are unlikely to choose this
executable format anyway.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
---
 fs/binfmt_flat.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

Comments

Alan Cox July 18, 2016, 11:47 a.m. UTC | #1

On Sun, 17 Jul 2016 23:31:56 -0400
Nicolas Pitre <nicolas.pitre@linaro.org> wrote:

> Let's take the simple and obvious approach by decompressing the binary
> into a kernel buffer and then copying it to user space.  Those who are
> looking for more performance on a MMU system are unlikely to choose this
> executable format anyway.

The flat loader takes a very casual attitude to overruns and corrupted
binaries. It's after all MMUless so has no real security model. If you
enable flat for an MMU system then IMHO those all need to be fixed
including all the missing overflow checks on the maths on textlen and the
like.

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
index 4cb0c4b6ae..24deae4dcb 100644
--- a/fs/binfmt_flat.c
+++ b/fs/binfmt_flat.c
@@ -35,6 +35,7 @@ 
 #include <linux/init.h>
 #include <linux/flat.h>
 #include <linux/syscalls.h>
+#include <linux/vmalloc.h>
 
 #include <asm/byteorder.h>
 #include <asm/uaccess.h>
@@ -637,6 +638,7 @@  static int load_flat_file(struct linux_binprm * bprm,
 		 * load it all in and treat it like a RAM load from now on
 		 */
 		if (flags & FLAT_FLAG_GZIP) {
+#ifndef CONFIG_MMU
 			result = decompress_exec(bprm, sizeof (struct flat_hdr),
 					 (((char *) textpos) + sizeof (struct flat_hdr)),
 					 (text_len + full_data
@@ -644,14 +646,52 @@  static int load_flat_file(struct linux_binprm * bprm,
 					 0);
 			memmove((void *) datapos, (void *) realdatastart,
 					full_data);
+#else
+			/*
+			 * This is used on MMU systems mainly for testing.
+			 * Let's use a kernel buffer to simplify things.
+			 */
+			long unz_text_len = text_len - sizeof(struct flat_hdr);
+			long unz_len = unz_text_len + full_data;
+			char *unz_data = vmalloc(unz_len);
+			if (!unz_data) {
+				result = -ENOMEM;
+			} else {
+				result = decompress_exec(bprm, sizeof(struct flat_hdr),
+							 unz_data, unz_len, 0);
+				if (result == 0 &&
+				    (copy_to_user((void __user *)textpos + sizeof(struct flat_hdr),
+						  unz_data, unz_text_len) ||
+				     copy_to_user((void __user *)datapos,
+				    		  unz_data + unz_text_len, full_data)))
+					result = -EFAULT;
+				vfree(unz_data);
+			}
+#endif
 		} else if (flags & FLAT_FLAG_GZDATA) {
 			result = read_code(bprm->file, textpos, 0, text_len);
-			if (!IS_ERR_VALUE(result))
+			if (!IS_ERR_VALUE(result)) {
+#ifndef CONFIG_MMU
 				result = decompress_exec(bprm, text_len, (char *) datapos,
 						 full_data, 0);
+#else
+				char *unz_data = vmalloc(full_data);
+				if (!unz_data) {
+					result = -ENOMEM;
+				} else {
+					result = decompress_exec(bprm, text_len,
+						       unz_data, full_data, 0);
+					if (result == 0 &&
+					    copy_to_user((void __user *)datapos,
+						         unz_data, full_data))
+						result = -EFAULT;
+					vfree(unz_data);
+				}
+#endif
+			}
 		}
 		else
-#endif
+#endif /* CONFIG_BINFMT_ZFLAT */
 		{
 			result = read_code(bprm->file, textpos, 0, text_len);
 			if (!IS_ERR_VALUE(result))