Re: [PATCH] proc: fix NULL dereference when reading /proc/<pid>/auxv
From: Michal Hocko
Date: Wed Oct 19 2016 - 12:26:48 EST
On Wed 19-10-16 21:59:40, Leon Yu wrote:
[...]
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c2964d890c9a..598d08936a3c 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -1007,6 +1007,9 @@ static ssize_t auxv_read(struct file *file, char __user *buf,
> {
> struct mm_struct *mm = file->private_data;
> unsigned int nwords = 0;
> +
> + if (IS_ERR_OR_NULL(mm))
> + return PTR_ERR(mm);
> do {
> nwords += 2;
> } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
Why would we even want to open that file if there is no mm struct?
Wouldn't something like this be better? ESRCH might be a bit unexpected
for an existing pid but I am not sure what would be a better error code.
---
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 5ef2ae81f623..d34d33dbf1b2 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -804,10 +804,10 @@ static const struct file_operations proc_single_file_operations = {
struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
{
struct task_struct *task = get_proc_task(inode);
- struct mm_struct *mm = ERR_PTR(-ESRCH);
+ struct mm_struct *ret = ERR_PTR(-ESRCH);
if (task) {
- mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
+ struct mm_struct *mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
put_task_struct(task);
if (!IS_ERR_OR_NULL(mm)) {
@@ -815,10 +815,11 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
atomic_inc(&mm->mm_count);
/* but do not pin its memory */
mmput(mm);
+ ret = mm;
}
}
- return mm;
+ return ret;
}
static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
--
Michal Hocko
SUSE Labs