Re: [RFC][PATCH] exec: Fix use after free of tracepointtrace_sched_process_exec

From: Steven Rostedt
Date: Tue Feb 04 2014 - 15:10:39 EST

On Tue, 4 Feb 2014 20:00:07 +0100
Oleg Nesterov <oleg@xxxxxxxxxx> wrote:

> On 02/04, Steven Rostedt wrote:
> >
> > Now to fix this we need to save the filename before calling
> > search_binary_handler(). But we don't want to save it if we are not
> > tracing. Why slow everyone else down?
> Yes, but it would be much simpler to dup filename unconditionally.

I was hoping not to add more work to exec, for the purpose if tracing
is enabled.

> Note also that in this case we can kill linux_binprm->tcomm[] and
> simplify filename_to_taskname().
> > This works, but is rather ugly.
> Yes ;)
> > Looking for any other suggestions here.
> Perhaps we can change flush_old_exec() to do
> if (!current->mm) {
> bprm->filename = kstrdup(bprm->filename);
> if (bprm->filename)
> bprm->filename_was_dupped = true; // for free_bprm()
> else
> bprm->filename = "//enomem";
> }
> This won't penalize the normal exec, and this should fix the problem
> afaics.

Don't forget to add the free. And in any case, we added a branch
conditional. Yes, I'm that anal.

> Perhaps, instead of "//enomem" flush_old_exec() should simply fail,
> in this case we can kill bprm->tcomm[] too.

We could just add "//enomem" to the tracepoint too, and not use tcomm.

Also, I'm working on a patch that gets rid of all the setup of the
static_key and reuses the tracepoint static key instead (suggested by
Peter Zijlstra).

Thus, the change in exec.c would just look like this:

if (tracepoint_enabled(sched_process_exec)) {
} else
ret = search_binary_handler(bprm);

That is, we can get rid of the sched_process_exec_key_reg and unreg
functions, and just use this and it would become the same thing.

This will be helpful in other places too (David, I'm talking to you ;-)

-- Steve
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at