From patchwork Wed Mar 20 18:26:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Max Filippov X-Patchwork-Id: 13598083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B910C6FD1F for ; Wed, 20 Mar 2024 18:26:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7F6E26B0089; Wed, 20 Mar 2024 14:26:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7A62F6B008A; Wed, 20 Mar 2024 14:26:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 66E066B0093; Wed, 20 Mar 2024 14:26:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 57C276B0089 for ; Wed, 20 Mar 2024 14:26:39 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id C5C7E14019F for ; Wed, 20 Mar 2024 18:26:38 +0000 (UTC) X-FDA: 81918248076.02.AE488FF Received: from mail-oo1-f43.google.com (mail-oo1-f43.google.com [209.85.161.43]) by imf14.hostedemail.com (Postfix) with ESMTP id 28EFD10000B for ; Wed, 20 Mar 2024 18:26:36 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="fS6f9/nw"; spf=pass (imf14.hostedemail.com: domain of jcmvbkbc@gmail.com designates 209.85.161.43 as permitted sender) smtp.mailfrom=jcmvbkbc@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710959197; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=8B7P/zRiu0s9e23bBiGTn371yzLAFaX1RO8T0tzOVR4=; b=OrA6fkWw+kusl+wPPafz6TqQ3572vekwAWfEYk803zCv6gCN6D8LlYV+VB5ffnI4qeAwRZ WVAvaHPpSt5FKrMhuL6/8BVF/Wlxl/z0M6IQqxk+TdZpGsxi3tAE87NUg4yuiUOnx0VPH7 oH375Aw1XcmH9F2M3fClRmKkm2j4m5M= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710959197; a=rsa-sha256; cv=none; b=ZpMFjp5h3pERLFCGdfcLxi3/KEkzt+3EXPvwQcwW7kESpvx/uqqLDv115HMBbHafqoyYzL Rw1qjGWecxYUUdYhJkKmisuUNRwvaTbQDtQsg6k1c/+55UTJuZjJMjbV3v349G8s+rfZPc nh6Pj3OxU3jtKu02n6QnIb1nzBTz4sc= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="fS6f9/nw"; spf=pass (imf14.hostedemail.com: domain of jcmvbkbc@gmail.com designates 209.85.161.43 as permitted sender) smtp.mailfrom=jcmvbkbc@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-oo1-f43.google.com with SMTP id 006d021491bc7-5a4716cfbbcso75111eaf.2 for ; Wed, 20 Mar 2024 11:26:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710959196; x=1711563996; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=8B7P/zRiu0s9e23bBiGTn371yzLAFaX1RO8T0tzOVR4=; b=fS6f9/nwGN0FWVq5ne9KiIVlZFMT3EJqzTwHNJxYFcHZYZSYPrwg0sR+Y2O+BWKFRA Gv4fxet9RzNWQqwktzgFsdk1B96XPAFc3QTLJu0ETCj/8Nb6M9DBmaSMHUPL/p2UV74u zoWmxmu/CpFUfQF4OV11g4W/C3KA4iW5hQv3Er0fYQGM94UIjdYir+pUKuoVOAsEkEfz VQF5H9CxXfaULAjPNt7A2i97SM1fNWRt0T7AuvSD0lqacjZ2kp939iiBT36Umr/WYTk9 LhZSNE/GloiNGYVDUyc+JoQ8rDlhlnnFbWSXvEz28VkxrMJUU62d0UqlcRR2SrBc6yyz wrtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710959196; x=1711563996; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8B7P/zRiu0s9e23bBiGTn371yzLAFaX1RO8T0tzOVR4=; b=IlVPrbbVxCZCoWqYXO4jECzsdY9jFlpCCOU+kC5uft4qkXCkn0AGMm5+NX3/vxAZA7 L3Ky90Ii1qVmjzkDsjMfUZ1GGoYIvQ5UjkgXQVy6/E0WtYHIXuv7g6YgAHBsqSJVN8Q4 q/vRFQsmy9X2ZfpiRXhDgdb15dzxwCb3D43xFgxxulyHMLrwiJH1aTz7ab+tMG3tt8Ep YglHKS8Uaxzy226te/H2uxagBn+EJlamGBIIdIu43gSk3hOstbfsdxYoOpjEs2Npe5Mr bxBLVxDMMyn6uRulw6XIncJzBmy4ll47nJIZzTOPVZCxttHcdgkN8omVuuG8Pb4NOZEp tyqw== X-Gm-Message-State: AOJu0Yz+CvsjFWaT8TS1m1G2uht8r5hmyZIqp5q5mb0wFbBMD/3VCzGr 3w0BwlZuMF3gT6sU0EYzAPrdr45HcOyznoV2Fo4T0jG+HlHNnD5Q X-Google-Smtp-Source: AGHT+IEE0OoJUKSUHMpvSdcMuTsIv8qJSqKoDqQqd6beQBy3Y/6x9dVKIRV+jdBEc2+m4h/rFRMqTQ== X-Received: by 2002:a05:6358:7f1a:b0:17e:c5b9:5f6d with SMTP id p26-20020a0563587f1a00b0017ec5b95f6dmr7427978rwn.14.1710959196191; Wed, 20 Mar 2024 11:26:36 -0700 (PDT) Received: from octofox.hsd1.ca.comcast.net ([2601:646:a200:bbd0:b371:84ee:dcf6:87b4]) by smtp.gmail.com with ESMTPSA id h62-20020a638341000000b005dc832ed816sm11209679pge.59.2024.03.20.11.26.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 11:26:35 -0700 (PDT) From: Max Filippov To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Rich Felker , Max Filippov , stable@vger.kernel.org Subject: [PATCH] exec: fix linux_binprm::exec in transfer_args_to_stack() Date: Wed, 20 Mar 2024 11:26:07 -0700 Message-Id: <20240320182607.1472887-1-jcmvbkbc@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Rspamd-Queue-Id: 28EFD10000B X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: 11twdueys8p34s7gkkrdrfp4ird1rq61 X-HE-Tag: 1710959196-706694 X-HE-Meta: U2FsdGVkX1/q6IxM4d8oF5nsRQJ399dTS6kF+cuCjwTx4mcRH73zlwa3yfFlxIwvx+wxL8bRbQHjrtZ5FYtxi+zhPfzwo29qoqkZNnO7YqQX/fopYshOowBzUi1j/oHmwNN5wC1ygoiy+BGarlIdG6r/yWSMrvbtZeXDUIXQloPDOYTreD1sRv5kTEWLaroAAXyhL/vnOebVkEJ1GpyHDlVQpE9wF2nOz57RaFb31u+BA/X/Q51e416XbVy/TeXU85a+mQZ2aei24/iWJ+IibgXfmXG7hzfUum+7cuYYUKyt/8kEfzyqwMbpp2RIdslz1z0SLG4EbIRN91BH3cvTPifnsRFskN7HfvGjXnNe4MEy0KDDr4LGOv7rnxbP2kb/AgLNZB2V4iAo89m+6y2F78q2O/atoVL6zmWNqRqZkVsRAExbkEOj5nJOxQJB1hsUkIQfo/fGqU7nfd+kiolkIG/zT2VhlRcftajL8glf7teNQAA0iY7SEHgAwuEnBV/bj5ThHpp50KeiOtZn7XtG8Cyv4BfggSF8VUGI76dFVN1KxYBV18BBm+zTpDoYKm+E4QWBDqLpxspHv5V3+HRg8HZ17DZNQtkJxRLozihF6Jh2oVXlW2nhQl2fYFR9VF65q7QFtESNsLpT/J7f5xXrmlQ9olGaHVNvt59Cfwfmqz80oHjhS0ks5//hMT9C3JoXCvNKDmuiNKL3wCza9KV81b4HidA19RqpEtwB5yB6dWO3pzRIqSSC72JS0Gf6/J2FbSuXzHzhy+GNb2SbhcDNn7XNbzm5139kxoQjFfa4OQ60VGDzsXjBa81fdkBKhlDERyCfJgjwuooQU73IJU2zUdBhNFPtnRlOHgHpWL+ZeWwHYw1I6X01ICreeLllCPQeRLt6TAXCBkLBSlxPAnY6z72w+NjJXQr8pVoeN5iqzB5Rrem0A9xvWh8xS4+SeCnQ9xVHbzlichiSJcPP6B/ Hp6wJ7pS 7FGlbXkuC6LU9P+hilxMsCx/NidHxzYkOTk45bugQiaqUHnNTr+KtkEWOVT+fd6yhErfLlCUSbXsfi28AdyusXOQNMQwxNdSG3fKVFjRgHnMsqykfBjdeOpDl10Y5DYgVKRn7QkctXrtSIxNikq3SsqG43Adk6CU8P1g/ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000014, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In NUMMU kernel the value of linux_binprm::p is the offset inside the temporary program arguments array maintained in separate pages in the linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p thus must be adjusted when that array is copied to the user stack. Without that adjustment the value passed by the NOMMU kernel to the ELF program in the AT_EXECFN entry of the aux array doesn't make any sense and it may break programs that try to access memory pointed to by that entry. Adjust linux_binprm::exec before the successful return from the transfer_args_to_stack(). Cc: stable@vger.kernel.org Signed-off-by: Max Filippov --- fs/exec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/exec.c b/fs/exec.c index af4fbb61cd53..5ee2545c3e18 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -895,6 +895,7 @@ int transfer_args_to_stack(struct linux_binprm *bprm, goto out; } + bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE; *sp_location = sp; out: