Unverified Commit 4c126c01 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!11099 exec: Fix ToCToU between perm check and set-uid/gid usage 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zizhi Wo <wozizhi@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/HRJSP2NR6QVNT6Y7BVBB5MZLLEZCG47S/ 
 
https://gitee.com/src-openeuler/kernel/issues/IALED4 
 
Link:https://gitee.com/openeuler/kernel/pulls/11099

 

Reviewed-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 58743633 4ec77704

fs/exec.c

+7 −1
Original line number Diff line number Diff line
@@ -1584,6 +1584,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) 
	unsigned int mode;

	kuid_t uid;

	kgid_t gid;

	int err;



	if (!mnt_may_suid(file->f_path.mnt))

		return;
@@ -1599,12 +1600,17 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) 
	/* Be careful if suid/sgid is set */

	inode_lock(inode);



	/* reload atomically mode/uid/gid now that lock held */

	/* Atomically reload and check mode/uid/gid now that lock held. */

	mode = inode->i_mode;

	uid = inode->i_uid;

	gid = inode->i_gid;

	err = inode_permission(inode, MAY_EXEC);

	inode_unlock(inode);



	/* Did the exec bit vanish out from under us? Give up. */

	if (err)

		return;



	/* We ignore suid/sgid if there are no mappings for them in the ns */

	if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||

		 !kgid_has_mapping(bprm->cred->user_ns, gid))