| Message ID | 20190330140032.GA1527@vostro (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fs/binfmt_elf.c: fix GPF when dereferencing invalid interpreter | expand |
On 3/30/2019 7:30 PM, Nikitas Angelinas wrote: > Syzkaller found an issue where an invalid interpreter pointer is > dereferenced in load_elf_binary()->allow_write_access() please mention here on failure path insideĀ allow_write_access as there are two path it gets called. > . Fix this by > jumping to a different label in the cleanup path. > > This patch applies against the latest linux-next tree. I have not tested > that the patch addresses the issue, but it should, imho. This should not be written in commit text body. please fix. > > Signed-off-by: Nikitas Angelinas <nikitas.angelinas@gmail.com> > Reported-by: syzbot+0d1fcd7268b21baced4a@syzkaller.appspotmail.com > Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP") > --- Patch looks valid to me as interpreter may be NULL and it later get tried to dereferencing inside allow_write_access under label out_free_dentry. Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> Cheers, -Mukesh > fs/binfmt_elf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index 51bc894..09e76b2 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm) > kfree(elf_interpreter); > retval = PTR_ERR(interpreter); > if (IS_ERR(interpreter)) > - goto out_free_dentry; > + goto out_free_ph; > > /* > * If the binary is not readable then enforce
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 51bc894..09e76b2 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm) kfree(elf_interpreter); retval = PTR_ERR(interpreter); if (IS_ERR(interpreter)) - goto out_free_dentry; + goto out_free_ph; /* * If the binary is not readable then enforce
Syzkaller found an issue where an invalid interpreter pointer is dereferenced in load_elf_binary()->allow_write_access(). Fix this by jumping to a different label in the cleanup path. This patch applies against the latest linux-next tree. I have not tested that the patch addresses the issue, but it should, imho. Signed-off-by: Nikitas Angelinas <nikitas.angelinas@gmail.com> Reported-by: syzbot+0d1fcd7268b21baced4a@syzkaller.appspotmail.com Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP") --- fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)