[RFC][PATCH] mm: search_binary_handler mem limit fix
From: Dmitriy Monakhov
Date: Sat Jan 20 2007 - 08:40:22 EST
Function change mem limit to USER_DS before possible modprobe, but never restore
it again. Why does this happend, is it just forgotten? As i understand currently
this not cause actual problems, but any one may call access_ok() after
search_binary_handler() and will be really surprised.
Signed-off-by: Dmitriy Monakhov <dmonakhov@xxxxxxxxxx>
--------
diff --git a/fs/exec.c b/fs/exec.c
index 11fe93f..c7e017b 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1020,6 +1020,7 @@ int search_binary_handler(struct linux_b
{
int try,retval;
struct linux_binfmt *fmt;
+ mm_segment_t oldfs;
#ifdef __alpha__
/* handle /sbin/loader.. */
{
@@ -1061,11 +1062,12 @@ int search_binary_handler(struct linux_b
/* kernel module loader fixup */
/* so we don't try to load run modprobe in kernel space. */
+ oldfs = get_fs();
set_fs(USER_DS);
retval = audit_bprm(bprm);
if (retval)
- return retval;
+ goto out;
retval = -ENOENT;
for (try=0; try<2; try++) {
@@ -1086,7 +1088,7 @@ int search_binary_handler(struct linux_b
bprm->file = NULL;
current->did_exec = 1;
proc_exec_connector(current);
- return retval;
+ goto out;
}
read_lock(&binfmt_lock);
put_binfmt(fmt);
@@ -1094,7 +1096,7 @@ int search_binary_handler(struct linux_b
break;
if (!bprm->file) {
read_unlock(&binfmt_lock);
- return retval;
+ goto out;
}
}
read_unlock(&binfmt_lock);
@@ -1112,6 +1114,8 @@ int search_binary_handler(struct linux_b
#endif
}
}
+out:
+ set_fs(oldfs);
return retval;
}