Re: [BUG] binfmt_elf: get_user() called in vma_dump_size() afterset_fs(KERNEL_DS)

From: Andrew Morton
Date: Fri Feb 06 2009 - 16:45:59 EST

Next message: Chris Mason: "Re: [GIT PULL] Btrfs updates for 2.6.29-rc"
Previous message: Russell King - ARM Linux: "Re: [PATCH D 11/11] Fix omap1 clock issues"
In reply to: Gerald Schaefer: "[BUG] binfmt_elf: get_user() called in vma_dump_size() afterset_fs(KERNEL_DS)"
Next in thread: Linus Torvalds: "Re: [BUG] binfmt_elf: get_user() called in vma_dump_size() afterset_fs(KERNEL_DS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 06 Feb 2009 18:10:35 +0100
Gerald Schaefer <gerald.schaefer@xxxxxxxxxx> wrote:

> Hi,
>
> elf_core_dump() does a set_fs(KERNEL_DS) and then calls vma_dump_size(),
> which uses get_user() to check for an ELF header at vma->vm_start in the
> user mapping. This is a bug because vm_start is a user virtual address and
> get_user() will fail or even read from a kernel address (KERNEL_DS).
>
> Maybe a get_user_pages() should be used to get the user data, or a temporary
> set_fs(USER_DS)?
>

Could use __get_user() to skip the access_ok() check?

We'd need to be sure that the address isn't a kernel address or iomem
or something.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Mason: "Re: [GIT PULL] Btrfs updates for 2.6.29-rc"
Previous message: Russell King - ARM Linux: "Re: [PATCH D 11/11] Fix omap1 clock issues"
In reply to: Gerald Schaefer: "[BUG] binfmt_elf: get_user() called in vma_dump_size() afterset_fs(KERNEL_DS)"
Next in thread: Linus Torvalds: "Re: [BUG] binfmt_elf: get_user() called in vma_dump_size() afterset_fs(KERNEL_DS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]