| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190330140032.GA1527@vostro>
Date: Sat, 30 Mar 2019 07:00:32 -0700
From: Nikitas Angelinas <nikitas.angelinas@...il.com>
To: Alexander Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
syzbot+0d1fcd7268b21baced4a@...kaller.appspotmail.com
Cc: nikitas.angelinas@...il.com
Subject: [PATCH] fs/binfmt_elf.c: fix GPF when dereferencing invalid
interpreter
Syzkaller found an issue where an invalid interpreter pointer is
dereferenced in load_elf_binary()->allow_write_access(). Fix this by
jumping to a different label in the cleanup path.
This patch applies against the latest linux-next tree. I have not tested
that the patch addresses the issue, but it should, imho.
Signed-off-by: Nikitas Angelinas <nikitas.angelinas@...il.com>
Reported-by: syzbot+0d1fcd7268b21baced4a@...kaller.appspotmail.com
Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP")
---
fs/binfmt_elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 51bc894..09e76b2 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
kfree(elf_interpreter);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
- goto out_free_dentry;
+ goto out_free_ph;
/*
* If the binary is not readable then enforce
--
2.10.0
Powered by blists - more mailing lists