diff options
author | Hugh Dickins <hugh@veritas.com> | 2009-03-28 23:16:03 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-05-08 15:45:05 -0700 |
commit | 3d068235e6c8580431f47254b71f75b1e70e6b26 (patch) | |
tree | 78ccbe511165145e7a4cf832f355ec383d925a4f /fs | |
parent | 669e1834c4c57a880260a0e720266b1077d7d355 (diff) |
compat_do_execve should unshare_files
commit 53e9309e01277ec99c38e84e0ca16921287cf470 upstream.
2.6.26's commit fd8328be874f4190a811c58cd4778ec2c74d2c05
"sanitize handling of shared descriptor tables in failing execve()"
moved the unshare_files() from flush_old_exec() and several binfmts
to the head of do_execve(); but forgot to make the same change to
compat_do_execve(), leaving a CLONE_FILES files_struct shared across
exec from a 32-bit process on a 64-bit kernel.
It's arguable whether the files_struct really ought to be unshared
across exec; but 2.6.1 made that so to stop the loading binary's fd
leaking into other threads, and a 32-bit process on a 64-bit kernel
ought to behave in the same way as 32 on 32 and 64 on 64.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/compat.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/fs/compat.c b/fs/compat.c index d0145ca2757..2b1a8c44240 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -1392,12 +1392,17 @@ int compat_do_execve(char * filename, { struct linux_binprm *bprm; struct file *file; + struct files_struct *displaced; int retval; + retval = unshare_files(&displaced); + if (retval) + goto out_ret; + retval = -ENOMEM; bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); if (!bprm) - goto out_ret; + goto out_files; retval = mutex_lock_interruptible(¤t->cred_exec_mutex); if (retval < 0) @@ -1457,6 +1462,8 @@ int compat_do_execve(char * filename, mutex_unlock(¤t->cred_exec_mutex); acct_update_integrals(current); free_bprm(bprm); + if (displaced) + put_files_struct(displaced); return retval; out: @@ -1475,6 +1482,9 @@ out_unlock: out_free: free_bprm(bprm); +out_files: + if (displaced) + reset_files_struct(displaced); out_ret: return retval; } |