On 3/30/2019 7:30 PM, Nikitas Angelinas wrote:
Syzkaller found an issue where an invalid interpreter pointer is
dereferenced in load_elf_binary()->allow_write_access()
please mention here on failure path insideĀ allow_write_access
as there are two path it gets called.
. Fix this by
jumping to a different label in the cleanup path.
This patch applies against the latest linux-next tree. I have not tested
that the patch addresses the issue, but it should, imho.
This should not be written in commit text body.
please fix.
Signed-off-by: Nikitas Angelinas <nikitas.angeli...@gmail.com>
Reported-by: syzbot+0d1fcd7268b21bace...@syzkaller.appspotmail.com
Fixes: 44e63c4a0263 ("fs/binfmt_elf.c: free PT_INTERP filename ASAP")
---
Patch looks valid to me as interpreter may be NULL and it later get
tried to dereferencing inside allow_write_access
under label out_free_dentry.
Reviewed-by: Mukesh Ojha <mo...@codeaurora.org>
Cheers,
-Mukesh
fs/binfmt_elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 51bc894..09e76b2 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -777,7 +777,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
kfree(elf_interpreter);
retval = PTR_ERR(interpreter);
if (IS_ERR(interpreter))
- goto out_free_dentry;
+ goto out_free_ph;
/*
* If the binary is not readable then enforce
