lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
 <AS8P193MB1285304CE97348D62021C878E46C2@AS8P193MB1285.EURP193.PROD.OUTLOOK.COM>
Date: Mon, 15 Jan 2024 20:22:01 +0100
From: Bernd Edlinger <bernd.edlinger@...mail.de>
To: Alexander Viro <viro@...iv.linux.org.uk>,
 Christian Brauner <brauner@...nel.org>, Kees Cook <keescook@...omium.org>,
 "Eric W. Biederman" <ebiederm@...ssion.com>,
 "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
 linux-mm@...ck.org,
 "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
 Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH v2] Fix error handling in begin_new_exec

If get_unused_fd_flags() fails, the error handling is incomplete
because bprm->cred is already set to NULL, and therefore
free_bprm will not unlock the cred_guard_mutex.
Note there are two error conditions which end up here,
one before and one after bprm->cred is cleared.

Fixes: b8a61c9e7b4a ("exec: Generic execfd support")

Signed-off-by: Bernd Edlinger <bernd.edlinger@...mail.de>

Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com>
---
 fs/exec.c | 3 +++
 1 file changed, 3 insertions(+)

v2: rebased to v6.7, retested and updated the commit message
to fix a checkpatch.pl style nit about the too short sha1 hash
in the Fixes: statement.
And retained Eric's Acked-by from:
https://lore.kernel.org/lkml/87mts2kcrm.fsf@disp2133/


Thanks
Bernd.

diff --git a/fs/exec.c b/fs/exec.c
index 4aa19b24f281..6d9ed2d765ef 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1408,6 +1408,9 @@ int begin_new_exec(struct linux_binprm * bprm)
 
 out_unlock:
 	up_write(&me->signal->exec_update_lock);
+	if (!bprm->cred)
+		mutex_unlock(&me->signal->cred_guard_mutex);
+
 out:
 	return retval;
 }
-- 
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ