From: Andrea Arcangeli <andrea@cpushare.com>
Date: Tue, 25 Jul 2017 20:22:45 +0000 (+0200)
Subject: fs/exec: fix use after free in execve
X-Git-Url: https://git.stricted.de/?p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git;a=commitdiff_plain;h=14468afe50e021585050245adfac7a1d385939cd;hp=14468afe50e021585050245adfac7a1d385939cd

fs/exec: fix use after free in execve

"file" can be already freed if bprm->file is NULL after
search_binary_handler() return. binfmt_script will do exactly that for
example. If the VM reuses the file after fput run(), this will result in
a use ater free.

So obtain d_is_su before search_binary_handler() runs.

This should explain this crash:

[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
[..]
[25333.009918] [2:             am:21861] PC is at do_execve+0x354/0x474

Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
---