Invalid return value of execve() resulting in oopses

When elf loader fails to map executable (due to memory shortage or because binary is malformed), it can return 0. Normally, this is invisible because process is killed with SIGKILL and it never returns to user space. But if exec() is called from kernel thread (hotplug, whatever) consequences are more interesting and vary depending on architecture. i386. Nothing especially interesting, execve() just returns with "success" :-) x86_64. Fake zero frame is used on way to caller, RSP/RIP are loaded with zeros, ergo... double fault. ia64. Similar to i386, but r32...r95 are corrupted. Sometimes it oopses due to return to zero PC, sometimes it sees NaT in rXX and oopses due to NaT consumption. Signed-off-by: Alexey Kuznetsov <alexey@openvz.org> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Invalid return value of execve() resulting in oopses
When elf loader fails to map executable (due to memory shortage or because binary is malformed), it can return 0. Normally, this is invisible because process is killed with SIGKILL and it never returns to user space. But if exec() is called from kernel thread (hotplug, whatever) consequences are more interesting and vary depending on architecture. i386. Nothing especially interesting, execve() just returns with "success" :-) x86_64. Fake zero frame is used on way to caller, RSP/RIP are loaded with zeros, ergo... double fault. ia64. Similar to i386, but r32...r95 are corrupted. Sometimes it oopses due to return to zero PC, sometimes it sees NaT in rXX and oopses due to NaT consumption. Signed-off-by: Alexey Kuznetsov <alexey@openvz.org> Signed-off-by: Kirill Korotaev <dev@openvz.org> Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Alexey Kuznetsov · Linus Torvalds
1 parent ce0be1273d
Showing 1 changed file with 3 additions and 0 deletions Side-by-side Diff
fs/binfmt_elf.c
@@ -871,6 +871,8 @@
 				elf_prot, elf_flags);
 		if (BAD_ADDR(error)) {
 			send_sig(SIGKILL, current, 0);
+			retval = IS_ERR((void *)error) ?
+				PTR_ERR((void*)error) : -EINVAL;
 			goto out_free_dentry;
 		}
  
@@ -900,6 +902,7 @@
 		    TASK_SIZE - elf_ppnt->p_memsz < k) {
 			/* set_brk can never work. Avoid overflows. */
 			send_sig(SIGKILL, current, 0);
+			retval = -EINVAL;
 			goto out_free_dentry;
 		}
...	...	@@ -871,6 +871,8 @@
871	871	elf_prot, elf_flags);
872	872	if (BAD_ADDR(error)) {
873	873	send_sig(SIGKILL, current, 0);
	874	+ retval = IS_ERR((void *)error) ?
	875	+ PTR_ERR((void*)error) : -EINVAL;
874	876	goto out_free_dentry;
875	877	}
876	878
...	...	@@ -900,6 +902,7 @@
900	902	TASK_SIZE - elf_ppnt->p_memsz < k) {
901	903	/* set_brk can never work. Avoid overflows. */
902	904	send_sig(SIGKILL, current, 0);
	905	+ retval = -EINVAL;
903	906	goto out_free_dentry;
904	907	}
905	908