lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Mar 2019 07:00:32 -0700 From: Nikitas Angelinas <nikitas.angelinas@...il.com> To: Alexander Viro <viro@...iv.linux.org.uk>, Alexey Dobriyan <adobriyan@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, syzbot+0d1fcd7268b21baced4a@...kaller.appspotmail.com Cc: nikitas.angelinas@...il.com Subject: [PATCH] fs/binfmt_elf.c: fix GPF when dereferencing invalid interpreter Syzkaller found an issue where an invalid interpreter pointer is dereferenced in load_elf_binary()->allow_write_access(). Fix this by jumping to a different label in the cleanup path. This patch applies against the latest linux-next tree. I have not tested that the patch addresses the issue, but it should, imho. Signed-off-by: Nikitas Angelinas <nikitas.angelinas@...il.com> Reported-by: syzbot+0d1fcd7268b21baced4a@...kaller.appspotmail.com Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP") --- fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 51bc894..09e76b2 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm) kfree(elf_interpreter); retval = PTR_ERR(interpreter); if (IS_ERR(interpreter)) - goto out_free_dentry; + goto out_free_ph; /* * If the binary is not readable then enforce -- 2.10.0
Powered by blists - more mailing lists