Commit:     b140f25108a8b11aa4903014814988549838b324
Parent:     ce0be1273d1473a5a7b57bf0b4995b40c22d6b54
Author:     Alexey Kuznetsov <[EMAIL PROTECTED]>
AuthorDate: Tue May 8 00:31:57 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Tue May 8 11:15:15 2007 -0700

    Invalid return value of execve() resulting in oopses
    When elf loader fails to map executable (due to memory shortage or because
    binary is malformed), it can return 0.  Normally, this is invisible because
    process is killed with SIGKILL and it never returns to user space.
    But if exec() is called from kernel thread (hotplug, whatever)
    consequences are more interesting and vary depending on architecture.
    i386.   Nothing especially interesting, execve() just returns
            with "success"  :-)
    x86_64. Fake zero frame is used on way to caller, RSP/RIP are loaded
            with zeros, ergo... double fault.
    ia64.   Similar to i386, but r32...r95 are corrupted. Sometimes it
            oopses due to return to zero PC, sometimes it sees NaT in
            rXX and oopses due to NaT consumption.
    Signed-off-by: Alexey Kuznetsov <[EMAIL PROTECTED]>
    Signed-off-by: Kirill Korotaev <[EMAIL PROTECTED]>
    Signed-off-by: Pavel Emelianov <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
 fs/binfmt_elf.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 67d9b31..fa8ea33 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -871,6 +871,8 @@ static int load_elf_binary(struct linux_binprm *bprm, 
struct pt_regs *regs)
                                elf_prot, elf_flags);
                if (BAD_ADDR(error)) {
                        send_sig(SIGKILL, current, 0);
+                       retval = IS_ERR((void *)error) ?
+                               PTR_ERR((void*)error) : -EINVAL;
                        goto out_free_dentry;
@@ -900,6 +902,7 @@ static int load_elf_binary(struct linux_binprm *bprm, 
struct pt_regs *regs)
                    TASK_SIZE - elf_ppnt->p_memsz < k) {
                        /* set_brk can never work. Avoid overflows. */
                        send_sig(SIGKILL, current, 0);
+                       retval = -EINVAL;
                        goto out_free_dentry;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to