[PATCH 4/4] exec: copy-and-paste the fixes into compat_do_execve() paths - CVE-2010-NNN3

Stefan Bader stefan.bader at canonical.com
Mon Jul 4 15:35:54 UTC 2011 

On 04.07.2011 12:03, paolo.pisati at canonical.com wrote:
> From: Oleg Nesterov <oleg at redhat.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/804234
> 
> commit 114279be2120a916e8a04feeb2ac976a10016f2f upstream.
> 
> Note: this patch targets 2.6.37 and tries to be as simple as possible.
> That is why it adds more copy-and-paste horror into fs/compat.c and
> uglifies fs/exec.c, this will be cleanuped later.
> 
> compat_copy_strings() plays with bprm->vma/mm directly and thus has
> two problems: it lacks the RLIMIT_STACK check and argv/envp memory
> is not visible to oom killer.
> 
> Export acct_arg_size() and get_arg_page(), change compat_copy_strings()
> to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0)
> as do_execve() does.
> 
> Add the fatal_signal_pending/cond_resched checks into compat_count() and
> compat_copy_strings(), this matches the code in fs/exec.c and certainly
> makes sense.
> 
> CVE-2010-NNN3
> 
> Signed-off-by: Oleg Nesterov <oleg at redhat.com>
> Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> Signed-off-by: Andi Kleen <ak at linux.intel.com>
> Cc: Moritz Muehlenhoff <jmm at debian.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
> ---
>  fs/compat.c             |   28 +++++++++++++++-------------
>  fs/exec.c               |    8 ++++----
>  include/linux/binfmts.h |    4 ++++
>  3 files changed, 23 insertions(+), 17 deletions(-)
> 
> diff --git a/fs/compat.c b/fs/compat.c
> index 6d6f98f..fc6eeae 100644
> --- a/fs/compat.c
> +++ b/fs/compat.c
> @@ -1360,6 +1360,10 @@ static int compat_count(compat_uptr_t __user *argv, int max)
>  			argv++;
>  			if (i++ >= max)
>  				return -E2BIG;
> +
> +			if (fatal_signal_pending(current))
> +				return -ERESTARTNOHAND;
> +			cond_resched();
>  		}
>  	}
>  	return i;
> @@ -1401,6 +1405,12 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv,
>  		while (len > 0) {
>  			int offset, bytes_to_copy;
>  
> +			if (fatal_signal_pending(current)) {
> +				ret = -ERESTARTNOHAND;
> +				goto out;
> +			}
> +			cond_resched();
> +
>  			offset = pos % PAGE_SIZE;
>  			if (offset == 0)
>  				offset = PAGE_SIZE;
> @@ -1417,18 +1427,8 @@ static int compat_copy_strings(int argc, compat_uptr_t __user *argv,
>  			if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
>  				struct page *page;
>  
> -#ifdef CONFIG_STACK_GROWSUP
> -				ret = expand_stack_downwards(bprm->vma, pos);
> -				if (ret < 0) {
> -					/* We've exceed the stack rlimit. */
> -					ret = -E2BIG;
> -					goto out;
> -				}
> -#endif
> -				ret = get_user_pages(current, bprm->mm, pos,
> -						     1, 1, 1, &page, NULL);
> -				if (ret <= 0) {
> -					/* We've exceed the stack rlimit. */
> +				page = get_arg_page(bprm, pos, 1);
> +				if (!page) {
>  					ret = -E2BIG;
>  					goto out;
>  				}
> @@ -1549,8 +1549,10 @@ int compat_do_execve(char * filename,
>  	return retval;
>  
>  out:
> -	if (bprm->mm)
> +	if (bprm->mm) {
> +		acct_arg_size(bprm, 0);
>  		mmput(bprm->mm);
> +	}
>  
>  out_file:
>  	if (bprm->file) {
> diff --git a/fs/exec.c b/fs/exec.c
> index 7b125a8..3bc6c91 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -159,7 +159,7 @@ out:
>  
>  #ifdef CONFIG_MMU
>  
> -static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
> +void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
>  {
>  	struct mm_struct *mm = current->mm;
>  	long diff = (long)(pages - bprm->vma_pages);
> @@ -174,7 +174,7 @@ static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
>  	up_write(&mm->mmap_sem);
>  }
>  
> -static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
> +struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
>  		int write)
>  {
>  	struct page *page;
> @@ -291,11 +291,11 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len)
>  
>  #else
>  
> -static inline void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
> +void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
>  {
>  }
>  
> -static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
> +struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
>  		int write)
>  {
>  	struct page *page;
> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
> index 48564ac..7f6c8e8 100644
> --- a/include/linux/binfmts.h
> +++ b/include/linux/binfmts.h
> @@ -60,6 +60,10 @@ struct linux_binprm{
>  	unsigned long loader, exec;
>  };
>  
> +extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages);
> +extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
> +					int write);
> +
>  #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
>  #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
>  

I don't find CVE-2010-NNN3 somehow. But NNN3 is usually only temporary and then
replaced by a real number...

More information about the kernel-team mailing list