Commit 53e9309e authored by Hugh Dickins's avatar Hugh Dickins Committed by Linus Torvalds

compat_do_execve should unshare_files

2.6.26's commit fd8328be
"sanitize handling of shared descriptor tables in failing execve()"
moved the unshare_files() from flush_old_exec() and several binfmts
to the head of do_execve(); but forgot to make the same change to
compat_do_execve(), leaving a CLONE_FILES files_struct shared across
exec from a 32-bit process on a 64-bit kernel.

It's arguable whether the files_struct really ought to be unshared
across exec; but 2.6.1 made that so to stop the loading binary's fd
leaking into other threads, and a 32-bit process on a 64-bit kernel
ought to behave in the same way as 32 on 32 and 64 on 64.
Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 07d43ba9
...@@ -1420,12 +1420,17 @@ int compat_do_execve(char * filename, ...@@ -1420,12 +1420,17 @@ int compat_do_execve(char * filename,
{ {
struct linux_binprm *bprm; struct linux_binprm *bprm;
struct file *file; struct file *file;
struct files_struct *displaced;
int retval; int retval;
retval = unshare_files(&displaced);
if (retval)
goto out_ret;
retval = -ENOMEM; retval = -ENOMEM;
bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
if (!bprm) if (!bprm)
goto out_ret; goto out_files;
retval = mutex_lock_interruptible(&current->cred_exec_mutex); retval = mutex_lock_interruptible(&current->cred_exec_mutex);
if (retval < 0) if (retval < 0)
...@@ -1487,6 +1492,8 @@ int compat_do_execve(char * filename, ...@@ -1487,6 +1492,8 @@ int compat_do_execve(char * filename,
mutex_unlock(&current->cred_exec_mutex); mutex_unlock(&current->cred_exec_mutex);
acct_update_integrals(current); acct_update_integrals(current);
free_bprm(bprm); free_bprm(bprm);
if (displaced)
put_files_struct(displaced);
return retval; return retval;
out: out:
...@@ -1506,6 +1513,9 @@ int compat_do_execve(char * filename, ...@@ -1506,6 +1513,9 @@ int compat_do_execve(char * filename,
out_free: out_free:
free_bprm(bprm); free_bprm(bprm);
out_files:
if (displaced)
reset_files_struct(displaced);
out_ret: out_ret:
return retval; return retval;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment