On 3/30/2019 7:30 PM, Nikitas Angelinas wrote:
Syzkaller found an issue where an invalid interpreter pointer is dereferenced in load_elf_binary()->allow_write_access()
please mention here on failure path insideĀ allow_write_access as there are two path it gets called.
. Fix this by jumping to a different label in the cleanup path. This patch applies against the latest linux-next tree. I have not tested that the patch addresses the issue, but it should, imho.
This should not be written in commit text body. please fix.
Signed-off-by: Nikitas Angelinas <[email protected]> Reported-by: [email protected] Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP") ---
Patch looks valid to me as interpreter may be NULL and it later get tried to dereferencing inside allow_write_access
under label out_free_dentry. Reviewed-by: Mukesh Ojha <[email protected]> Cheers, -Mukesh
fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 51bc894..09e76b2 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm) kfree(elf_interpreter); retval = PTR_ERR(interpreter); if (IS_ERR(interpreter)) - goto out_free_dentry; + goto out_free_ph;/** If the binary is not readable then enforce
