binfmt_elf: safely increment argv pointers

When building the argv/envp pointers, the envp is needlessly
pre-incremented instead of just continuing after the argv pointers are
finished.  In some (likely impossible) race where the strings could be
changed from userspace between copy_strings() and here, it might be
possible to confuse the envp position.  Instead, just use sp like
everything else.

Signed-off-by: Kees Cook <>
Cc: Rik van Riel <>
Cc: Daniel Micay <>
Cc: Qualys Security Advisory <>
Cc: Thomas Gleixner <>
Cc: Ingo Molnar <>
Cc: "H. Peter Anvin" <>
Cc: Alexander Viro <>
Cc: Dmitry Safonov <>
Cc: Andy Lutomirski <>
Cc: Grzegorz Andrejczuk <>
Cc: Masahiro Yamada <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
1 file changed