diff options
| author | Kees Cook <[email protected]> | 2017-07-10 15:52:54 -0700 | 
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2017-07-10 16:32:36 -0700 | 
| commit | 67c6777a5d331dda32a4c4a1bf0cac85bdaaaed8 (patch) | |
| tree | c5ae9869b8e0a3e81091bb08597ea54346655824 /drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | |
| parent | a73dc5370e153ac63718d850bddf0c9aa9d871e6 (diff) | |
binfmt_elf: safely increment argv pointers
When building the argv/envp pointers, the envp is needlessly
pre-incremented instead of just continuing after the argv pointers are
finished.  In some (likely impossible) race where the strings could be
changed from userspace between copy_strings() and here, it might be
possible to confuse the envp position.  Instead, just use sp like
everything else.
Link: http://lkml.kernel.org/r/20170622173838.GA43308@beast
Signed-off-by: Kees Cook <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Daniel Micay <[email protected]>
Cc: Qualys Security Advisory <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Cc: Alexander Viro <[email protected]>
Cc: Dmitry Safonov <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Grzegorz Andrejczuk <[email protected]>
Cc: Masahiro Yamada <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h')
0 files changed, 0 insertions, 0 deletions