Skip to content

Commit 6b0f8db

Browse files
torvaldstorvalds
committed
Merge tag 'execve-v6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull execve fixes from Kees Cook: - binfmt_flat: Fix corruption when not offsetting data start - exec: Fix ToCToU between perm check and set-uid/gid usage * tag 'execve-v6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: exec: Fix ToCToU between perm check and set-uid/gid usage binfmt_flat: Fix corruption when not offsetting data start
2 parents 6b4aa46 + f50733b commit 6b0f8db

File tree

2 files changed

+10
-2
lines changed

2 files changed

+10
-2
lines changed

fs/binfmt_flat.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,8 +72,10 @@
7272

7373
#ifdef CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET
7474
#define DATA_START_OFFSET_WORDS (0)
75+
#define MAX_SHARED_LIBS_UPDATE (0)
7576
#else
7677
#define DATA_START_OFFSET_WORDS (MAX_SHARED_LIBS)
78+
#define MAX_SHARED_LIBS_UPDATE (MAX_SHARED_LIBS)
7779
#endif
7880

7981
struct lib_info {
@@ -880,7 +882,7 @@ static int load_flat_binary(struct linux_binprm *bprm)
880882
return res;
881883

882884
/* Update data segment pointers for all libraries */
883-
for (i = 0; i < MAX_SHARED_LIBS; i++) {
885+
for (i = 0; i < MAX_SHARED_LIBS_UPDATE; i++) {
884886
if (!libinfo.lib_list[i].loaded)
885887
continue;
886888
for (j = 0; j < MAX_SHARED_LIBS; j++) {

fs/exec.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1692,6 +1692,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file)
16921692
unsigned int mode;
16931693
vfsuid_t vfsuid;
16941694
vfsgid_t vfsgid;
1695+
int err;
16951696

16961697
if (!mnt_may_suid(file->f_path.mnt))
16971698
return;
@@ -1708,12 +1709,17 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file)
17081709
/* Be careful if suid/sgid is set */
17091710
inode_lock(inode);
17101711

1711-
/* reload atomically mode/uid/gid now that lock held */
1712+
/* Atomically reload and check mode/uid/gid now that lock held. */
17121713
mode = inode->i_mode;
17131714
vfsuid = i_uid_into_vfsuid(idmap, inode);
17141715
vfsgid = i_gid_into_vfsgid(idmap, inode);
1716+
err = inode_permission(idmap, inode, MAY_EXEC);
17151717
inode_unlock(inode);
17161718

1719+
/* Did the exec bit vanish out from under us? Give up. */
1720+
if (err)
1721+
return;
1722+
17171723
/* We ignore suid/sgid if there are no mappings for them in the ns */
17181724
if (!vfsuid_has_mapping(bprm->cred->user_ns, vfsuid) ||
17191725
!vfsgid_has_mapping(bprm->cred->user_ns, vfsgid))

0 commit comments

Comments
 (0)