vfs: forbid write access when reading a file into memory
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Sun, 26 Oct 2014 10:42:07 +0000 (12:42 +0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Sun, 1 May 2016 13:23:51 +0000 (09:23 -0400)
This patch is based on top of the "vfs: support for a common kernel file
loader" patch set.  In general when the kernel is reading a file into
memory it does not want anything else writing to it.

The kernel currently only forbids write access to a file being executed.
This patch extends this locking to files being read by the kernel.

Changelog:
- moved function to kernel_read_file() - Mimi
- updated patch description - Mimi

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: Luis R. Rodriguez <mcgrof@kernel.org>
Acked-by: Kees Cook <keescook@chromium.org>
fs/exec.c

index c4010b8207a144303ba498269427e42de1c72336..fdecb7615587df4e888bf357ccd6a3cc4640936b 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -850,15 +850,25 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
        if (ret)
                return ret;
 
+       ret = deny_write_access(file);
+       if (ret)
+               return ret;
+
        i_size = i_size_read(file_inode(file));
-       if (max_size > 0 && i_size > max_size)
-               return -EFBIG;
-       if (i_size <= 0)
-               return -EINVAL;
+       if (max_size > 0 && i_size > max_size) {
+               ret = -EFBIG;
+               goto out;
+       }
+       if (i_size <= 0) {
+               ret = -EINVAL;
+               goto out;
+       }
 
        *buf = vmalloc(i_size);
-       if (!*buf)
-               return -ENOMEM;
+       if (!*buf) {
+               ret = -ENOMEM;
+               goto out;
+       }
 
        pos = 0;
        while (pos < i_size) {
@@ -876,18 +886,21 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
 
        if (pos != i_size) {
                ret = -EIO;
-               goto out;
+               goto out_free;
        }
 
        ret = security_kernel_post_read_file(file, *buf, i_size, id);
        if (!ret)
                *size = pos;
 
-out:
+out_free:
        if (ret < 0) {
                vfree(*buf);
                *buf = NULL;
        }
+
+out:
+       allow_write_access(file);
        return ret;
 }
 EXPORT_SYMBOL_GPL(kernel_read_file);