[BUG] binfmt_elf: get_user() called in vma_dump_size() afterset_fs(KERNEL_DS)

[Gerald Schaefer]

Hi,

elf_core_dump() does a set_fs(KERNEL_DS) and then calls vma_dump_size(),
which uses get_user() to check for an ELF header at vma->vm_start in the
user mapping. This is a bug because vm_start is a user virtual address and
get_user() will fail or even read from a kernel address (KERNEL_DS).

Maybe a get_user_pages() should be used to get the user data, or a temporary
set_fs(USER_DS)?

--
Gerald


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/