| From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001 |
| From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Date: Mon, 30 Sep 2013 13:45:08 -0700 |
| Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec() |
| |
| From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| |
| commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream. |
| |
| If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer |
| dereference happens upon core dump because argv_split("") returns |
| argv[0] == NULL. |
| |
| This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check |
| subprocess_info->path != NULL") but was by error reintroduced by commit |
| 7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check"). |
| |
| This bug seems to exist since 2.6.19 (the version which core dump to |
| pipe was added). Depending on kernel version and config, some side |
| effect might happen immediately after this oops (e.g. kernel panic with |
| 2.6.32-358.18.1.el6). |
| |
| Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Acked-by: Oleg Nesterov <oleg@redhat.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/kmod.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/kernel/kmod.c |
| +++ b/kernel/kmod.c |
| @@ -571,6 +571,10 @@ int call_usermodehelper_exec(struct subp |
| DECLARE_COMPLETION_ONSTACK(done); |
| int retval = 0; |
| |
| + if (!sub_info->path) { |
| + call_usermodehelper_freeinfo(sub_info); |
| + return -EINVAL; |
| + } |
| helper_lock(); |
| if (!khelper_wq || usermodehelper_disabled) { |
| retval = -EBUSY; |