[PATCH] get rid of leak in compat_execve()
authorAl Viro <viro@zeniv.linux.org.uk>
Sat, 10 May 2008 20:38:25 +0000 (16:38 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Fri, 16 May 2008 21:23:05 +0000 (17:23 -0400)
Even though copy_compat_strings() doesn't cache the pages,
copy_strings_kernel() and stuff indirectly called by e.g.
->load_binary() is doing that, so we need to drop the
cache contents in the end.

[found by WANG Cong <wangcong@zeuux.org>]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/compat.c
fs/exec.c
include/linux/binfmts.h

index 332a869d2c53e80a6bfb75c5e2bd3009802eca58..ed43e17a5dc68ad6663d28bc5abef135492c2e52 100644 (file)
@@ -1405,7 +1405,7 @@ int compat_do_execve(char * filename,
                /* execve success */
                security_bprm_free(bprm);
                acct_update_integrals(current);
-               kfree(bprm);
+               free_bprm(bprm);
                return retval;
        }
 
@@ -1424,7 +1424,7 @@ out_file:
        }
 
 out_kfree:
-       kfree(bprm);
+       free_bprm(bprm);
 
 out_ret:
        return retval;
index 1f8a24aa1f8bbbf4a88235cfdb0d1341b29fa79a..3c2ba7ce11d46505e2e5d5539179b4435075118a 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1251,6 +1251,12 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
 
 EXPORT_SYMBOL(search_binary_handler);
 
+void free_bprm(struct linux_binprm *bprm)
+{
+       free_arg_pages(bprm);
+       kfree(bprm);
+}
+
 /*
  * sys_execve() executes a new program.
  */
@@ -1320,17 +1326,15 @@ int do_execve(char * filename,
        retval = search_binary_handler(bprm,regs);
        if (retval >= 0) {
                /* execve success */
-               free_arg_pages(bprm);
                security_bprm_free(bprm);
                acct_update_integrals(current);
-               kfree(bprm);
+               free_bprm(bprm);
                if (displaced)
                        put_files_struct(displaced);
                return retval;
        }
 
 out:
-       free_arg_pages(bprm);
        if (bprm->security)
                security_bprm_free(bprm);
 
@@ -1344,7 +1348,7 @@ out_file:
                fput(bprm->file);
        }
 out_kfree:
-       kfree(bprm);
+       free_bprm(bprm);
 
 out_files:
        if (displaced)
index b512e48f6d8e9ccbcc811c364cf73a8f85bdd58f..ee0ed48e834809778a946343d6840e446eb9f2b7 100644 (file)
@@ -99,6 +99,7 @@ extern int copy_strings_kernel(int argc,char ** argv,struct linux_binprm *bprm);
 extern void compute_creds(struct linux_binprm *binprm);
 extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
 extern int set_binfmt(struct linux_binfmt *new);
+extern void free_bprm(struct linux_binprm *);
 
 #endif /* __KERNEL__ */
 #endif /* _LINUX_BINFMTS_H */