diff options
Diffstat (limited to 'kernel/sys.c')
| -rw-r--r-- | kernel/sys.c | 62 | 
1 files changed, 34 insertions, 28 deletions
| diff --git a/kernel/sys.c b/kernel/sys.c index bdbfe8d37418..2969304c29fe 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1882,13 +1882,14 @@ exit_err:  }  /* + * Check arithmetic relations of passed addresses. + *   * WARNING: we don't require any capability here so be very careful   * in what is allowed for modification from userspace.   */ -static int validate_prctl_map(struct prctl_mm_map *prctl_map) +static int validate_prctl_map_addr(struct prctl_mm_map *prctl_map)  {  	unsigned long mmap_max_addr = TASK_SIZE; -	struct mm_struct *mm = current->mm;  	int error = -EINVAL, i;  	static const unsigned char offsets[] = { @@ -1949,24 +1950,6 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)  			      prctl_map->start_data))  			goto out; -	/* -	 * Someone is trying to cheat the auxv vector. -	 */ -	if (prctl_map->auxv_size) { -		if (!prctl_map->auxv || prctl_map->auxv_size > sizeof(mm->saved_auxv)) -			goto out; -	} - -	/* -	 * Finally, make sure the caller has the rights to -	 * change /proc/pid/exe link: only local sys admin should -	 * be allowed to. -	 */ -	if (prctl_map->exe_fd != (u32)-1) { -		if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN)) -			goto out; -	} -  	error = 0;  out:  	return error; @@ -1993,11 +1976,18 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data  	if (copy_from_user(&prctl_map, addr, sizeof(prctl_map)))  		return -EFAULT; -	error = validate_prctl_map(&prctl_map); +	error = validate_prctl_map_addr(&prctl_map);  	if (error)  		return error;  	if (prctl_map.auxv_size) { +		/* +		 * Someone is trying to cheat the auxv vector. +		 */ +		if (!prctl_map.auxv || +				prctl_map.auxv_size > sizeof(mm->saved_auxv)) +			return -EINVAL; +  		memset(user_auxv, 0, sizeof(user_auxv));  		if (copy_from_user(user_auxv,  				   (const void __user *)prctl_map.auxv, @@ -2010,6 +2000,14 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data  	}  	if (prctl_map.exe_fd != (u32)-1) { +		/* +		 * Make sure the caller has the rights to +		 * change /proc/pid/exe link: only local sys admin should +		 * be allowed to. +		 */ +		if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN)) +			return -EINVAL; +  		error = prctl_set_mm_exe_file(mm, prctl_map.exe_fd);  		if (error)  			return error; @@ -2097,7 +2095,11 @@ static int prctl_set_mm(int opt, unsigned long addr,  			unsigned long arg4, unsigned long arg5)  {  	struct mm_struct *mm = current->mm; -	struct prctl_mm_map prctl_map; +	struct prctl_mm_map prctl_map = { +		.auxv = NULL, +		.auxv_size = 0, +		.exe_fd = -1, +	};  	struct vm_area_struct *vma;  	int error; @@ -2125,9 +2127,15 @@ static int prctl_set_mm(int opt, unsigned long addr,  	error = -EINVAL; -	down_write(&mm->mmap_sem); +	/* +	 * arg_lock protects concurent updates of arg boundaries, we need +	 * mmap_sem for a) concurrent sys_brk, b) finding VMA for addr +	 * validation. +	 */ +	down_read(&mm->mmap_sem);  	vma = find_vma(mm, addr); +	spin_lock(&mm->arg_lock);  	prctl_map.start_code	= mm->start_code;  	prctl_map.end_code	= mm->end_code;  	prctl_map.start_data	= mm->start_data; @@ -2139,9 +2147,6 @@ static int prctl_set_mm(int opt, unsigned long addr,  	prctl_map.arg_end	= mm->arg_end;  	prctl_map.env_start	= mm->env_start;  	prctl_map.env_end	= mm->env_end; -	prctl_map.auxv		= NULL; -	prctl_map.auxv_size	= 0; -	prctl_map.exe_fd	= -1;  	switch (opt) {  	case PR_SET_MM_START_CODE: @@ -2181,7 +2186,7 @@ static int prctl_set_mm(int opt, unsigned long addr,  		goto out;  	} -	error = validate_prctl_map(&prctl_map); +	error = validate_prctl_map_addr(&prctl_map);  	if (error)  		goto out; @@ -2218,7 +2223,8 @@ static int prctl_set_mm(int opt, unsigned long addr,  	error = 0;  out: -	up_write(&mm->mmap_sem); +	spin_unlock(&mm->arg_lock); +	up_read(&mm->mmap_sem);  	return error;  } | 
