diff options
author | Oleg Nesterov <oleg@redhat.com> | 2013-09-11 23:24:41 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-09-12 00:59:05 +0200 |
commit | 52f14282bb0c3d3e5ba2a9eaacb12ff37a033e7e (patch) | |
tree | c0f02056772e53e294784388b4202e94271c46e6 | |
parent | exec: proc_exec_connector() should be called only once (diff) | |
download | linux-52f14282bb0c3d3e5ba2a9eaacb12ff37a033e7e.tar.xz linux-52f14282bb0c3d3e5ba2a9eaacb12ff37a033e7e.zip |
exec: move allow_write_access/fput to exec_binprm()
When search_binary_handler() succeeds it does allow_write_access() and
fput(), then it clears bprm->file to ensure the caller will not do the
same.
We can simply move this code to exec_binprm() which is called only once.
In fact we could move this to free_bprm() and remove the same code in
do_execve_common's error path.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Evgeniy Polyakov <zbr@ioremap.net>
Cc: Zach Levis <zml@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | fs/exec.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/fs/exec.c b/fs/exec.c index d51f7172832b..a4cfd1d725e0 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1400,10 +1400,6 @@ int search_binary_handler(struct linux_binprm *bprm) bprm->recursion_depth--; if (retval >= 0) { put_binfmt(fmt); - allow_write_access(bprm->file); - if (bprm->file) - fput(bprm->file); - bprm->file = NULL; return retval; } read_lock(&binfmt_lock); @@ -1455,6 +1451,12 @@ static int exec_binprm(struct linux_binprm *bprm) ptrace_event(PTRACE_EVENT_EXEC, old_vpid); current->did_exec = 1; proc_exec_connector(current); + + if (bprm->file) { + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; /* to catch use-after-free */ + } } return ret; |