Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 58065 Details for
Bug 86783
Kernel: Potential DOS in load_elf_library (CAN-2005-0749)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Clean (fix) patch.
CAN-2005-0749.patch (text/plain), 2.31 KB, created by
Lorenzo Hernández García-Hierro
on 2005-05-04 13:29:06 UTC
(
hide
)
Description:
Clean (fix) patch.
Filename:
MIME Type:
Creator:
Lorenzo Hernández García-Hierro
Created:
2005-05-04 13:29:06 UTC
Size:
2.31 KB
patch
obsolete
>--- 25/fs/binfmt_elf.c~load_elf_binary-kfree-fix 2005-03-18 01:00:49.000000000 -0800 >+++ 25-akpm/fs/binfmt_elf.c 2005-03-18 01:03:14.000000000 -0800 >@@ -1028,6 +1028,7 @@ out_free_ph: > static int load_elf_library(struct file *file) > { > struct elf_phdr *elf_phdata; >+ struct elf_phdr *eppnt; > unsigned long elf_bss, bss, len; > int retval, error, i, j; > struct elfhdr elf_ex; >@@ -1051,44 +1052,47 @@ static int load_elf_library(struct file > /* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */ > > error = -ENOMEM; >- elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL); >+ elf_phdata = kmalloc(j, GFP_KERNEL); > if (!elf_phdata) > goto out; > >+ eppnt = elf_phdata; > error = -ENOEXEC; >- retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j); >+ retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j); > if (retval != j) > goto out_free_ph; > > for (j = 0, i = 0; i<elf_ex.e_phnum; i++) >- if ((elf_phdata + i)->p_type == PT_LOAD) j++; >+ if ((eppnt + i)->p_type == PT_LOAD) >+ j++; > if (j != 1) > goto out_free_ph; > >- while (elf_phdata->p_type != PT_LOAD) elf_phdata++; >+ while (eppnt->p_type != PT_LOAD) >+ eppnt++; > > /* Now use mmap to map the library into memory. */ > down_write(¤t->mm->mmap_sem); > error = do_mmap(file, >- ELF_PAGESTART(elf_phdata->p_vaddr), >- (elf_phdata->p_filesz + >- ELF_PAGEOFFSET(elf_phdata->p_vaddr)), >+ ELF_PAGESTART(eppnt->p_vaddr), >+ (eppnt->p_filesz + >+ ELF_PAGEOFFSET(eppnt->p_vaddr)), > PROT_READ | PROT_WRITE | PROT_EXEC, > MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, >- (elf_phdata->p_offset - >- ELF_PAGEOFFSET(elf_phdata->p_vaddr))); >+ (eppnt->p_offset - >+ ELF_PAGEOFFSET(eppnt->p_vaddr))); > up_write(¤t->mm->mmap_sem); >- if (error != ELF_PAGESTART(elf_phdata->p_vaddr)) >+ if (error != ELF_PAGESTART(eppnt->p_vaddr)) > goto out_free_ph; > >- elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz; >+ elf_bss = eppnt->p_vaddr + eppnt->p_filesz; > if (padzero(elf_bss)) { > error = -EFAULT; > goto out_free_ph; > } > >- len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1); >- bss = elf_phdata->p_memsz + elf_phdata->p_vaddr; >+ len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1); >+ bss = eppnt->p_memsz + eppnt->p_vaddr; > if (bss > len) { > down_write(¤t->mm->mmap_sem); > do_brk(len, bss - len);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=58065">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 86783
: 58065
