tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'to-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland
* 'to-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland:
elf core dump: fix get_user use
+12
-2
+12
-2
fs/binfmt_elf.c
+12
-2
fs/binfmt_elf.c
···
1208
1208
* check for an ELF header. If we find one, dump the first page to
1209
1209
* aid in determining what was mapped here.
1210
1210
*/
1211
-
if (FILTER(ELF_HEADERS) && vma->vm_file != NULL && vma->vm_pgoff == 0) {
1211
+
if (FILTER(ELF_HEADERS) &&
1212
+
vma->vm_pgoff == 0 && (vma->vm_flags & VM_READ)) {
1212
1213
u32 __user *header = (u32 __user *) vma->vm_start;
1213
1214
u32 word;
1215
+
mm_segment_t fs = get_fs();
1214
1216
/*
1215
1217
* Doing it this way gets the constant folded by GCC.
1216
1218
*/
···
1225
1223
magic.elfmag[EI_MAG1] = ELFMAG1;
1226
1224
magic.elfmag[EI_MAG2] = ELFMAG2;
1227
1225
magic.elfmag[EI_MAG3] = ELFMAG3;
1228
-
if (get_user(word, header) == 0 && word == magic.cmp)
1226
+
/*
1227
+
* Switch to the user "segment" for get_user(),
1228
+
* then put back what elf_core_dump() had in place.
1229
+
*/
1230
+
set_fs(USER_DS);
1231
+
if (unlikely(get_user(word, header)))
1232
+
word = 0;
1233
+
set_fs(fs);
1234
+
if (word == magic.cmp)
1229
1235
return PAGE_SIZE;
1230
1236
}
1231
1237