Re: [PATCH 42/88] exec: use -ELOOP for max recursion depth

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	kernel-team@lists.ubuntu.com, Kees Cook <keescook@chromium.org>,
	halfdog <me@halfdog.net>, P J P <ppandit@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Luis Henriques <luis.henriques@canonical.com>
Subject: Re: [PATCH 42/88] exec: use -ELOOP for max recursion depth
Date: Tue, 26 Mar 2013 13:25:04 -0700	[thread overview]
Message-ID: <20130326202504.GE21624@kroah.com> (raw)
In-Reply-To: <1363661587.3937.360.camel@deadeye.wl.decadent.org.uk>

On Tue, Mar 19, 2013 at 02:53:07AM +0000, Ben Hutchings wrote:
> On Thu, 2013-03-14 at 10:35 +0000, Luis Henriques wrote:
> > 3.5.7.8 -stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Kees Cook <keescook@chromium.org>
> > 
> > commit d740269867021faf4ce38a449353d2b986c34a67 upstream.
> > 
> > To avoid an explosion of request_module calls on a chain of abusive
> > scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
> > as maximum recursion depth is hit, the error will fail all the way back
> > up the chain, aborting immediately.
> > 
> > This also has the side-effect of stopping the user's shell from attempting
> > to reexecute the top-level file as a shell script. As seen in the
> > dash source:
> > 
> >         if (cmd != path_bshell && errno == ENOEXEC) {
> >                 *argv-- = cmd;
> >                 *argv = cmd = path_bshell;
> >                 goto repeat;
> >         }
> > 
> > The above logic was designed for running scripts automatically that lacked
> > the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
> > things continue to behave as the shell expects.
> > 
> > Additionally, when tracking recursion, the binfmt handlers should not be
> > involved. The recursion being tracked is the depth of calls through
> > search_binary_handler(), so that function should be exclusively responsible
> > for tracking the depth.
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Cc: halfdog <me@halfdog.net>
> > Cc: P J P <ppandit@redhat.com>
> > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > [ luis: backport to 3.5 ]
> > Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> [...]
> 
> Greg, I also included this in 3.2.y (commit 511d07b) but it is missing
> from 3.0.y and 3.4.y.  I hope one or other of these backports will be
> suitable for them (it was just a context fix for 3.2.y).

Applied, thanks.

greg k-h

next prev parent reply	other threads:[~2013-03-26 20:25 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-14 10:34 [ 3.5.y.z extended stable ] Linux 3.5.7.8 stable review Luis Henriques
2013-03-14 10:34 ` [PATCH 01/88] omap_vout: find_vma() needs ->mmap_sem held Luis Henriques
2013-03-14 10:34 ` [PATCH 02/88] nfsd: Fix memleak Luis Henriques
2013-03-14 10:34 ` [PATCH 03/88] iommu/amd: Initialize device table after dma_ops Luis Henriques
2013-03-14 10:34 ` [PATCH 04/88] svcrpc: make svc_age_temp_xprts enqueue under sv_lock Luis Henriques
2013-03-14 10:34 ` [PATCH 05/88] target: Add missing mapped_lun bounds checking during make_mappedlun setup Luis Henriques
2013-03-14 10:34 ` [PATCH 06/88] xen-blkback: do not leak mode property Luis Henriques
2013-03-14 10:35 ` [PATCH 07/88] btrfs: Init io_lock after cloning btrfs device struct Luis Henriques
2013-03-14 10:35 ` [PATCH 08/88] NFS: Don't allow NFS silly-renamed files to be deleted, no signal Luis Henriques
2013-03-14 10:35 ` [PATCH 09/88] SUNRPC: Don't start the retransmission timer when out of socket space Luis Henriques
2013-03-14 10:35 ` [PATCH 10/88] storvsc: Initialize the sglist Luis Henriques
2013-03-14 10:35 ` [PATCH 11/88] dc395x: uninitialized variable in device_alloc() Luis Henriques
2013-03-14 10:35 ` [PATCH 12/88] ALSA: bt87x: Make load_all parameter working again Luis Henriques
2013-03-14 10:35 ` [PATCH 13/88] ARM: VFP: fix emulation of second VFP instruction Luis Henriques
2013-03-14 10:35 ` [PATCH 14/88] ARM: fix scheduling while atomic warning in alignment handling code Luis Henriques
2013-03-14 10:35 ` [PATCH 15/88] doc, xen: Mention 'earlyprintk=xen' in the documentation Luis Henriques
2013-03-14 10:35 ` [PATCH 16/88] doc, kernel-parameters: Document 'console=hvc<n>' Luis Henriques
2013-03-14 10:35 ` [PATCH 17/88] sony-laptop: fully enable SNY controlled modems Luis Henriques
2013-03-14 10:35 ` [PATCH 18/88] x86: Make sure we can boot in the case the BDA contains pure garbage Luis Henriques
2013-03-14 10:35 ` [PATCH 19/88] cifs: ensure that cifs_get_root() only traverses directories Luis Henriques
2013-03-14 10:35 ` [PATCH 20/88] iscsi-target: Fix immediate queue starvation regression with DATAIN Luis Henriques
2013-03-14 10:35 ` [PATCH 21/88] ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly Luis Henriques
2013-03-14 10:35 ` [PATCH 22/88] ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink Luis Henriques
2013-03-14 10:35 ` [PATCH 23/88] block: fix ext_devt_idr handling Luis Henriques
2013-03-14 10:35 ` [PATCH 24/88] idr: fix a subtle bug in idr_get_next() Luis Henriques
2013-03-14 10:35 ` [PATCH 25/88] block: fix synchronization and limit check in blk_alloc_devt() Luis Henriques
2013-03-14 10:35 ` [PATCH 26/88] firewire: add minor number range check to fw_device_init() Luis Henriques
2013-03-14 10:35 ` [PATCH 27/88] idr: fix top layer handling Luis Henriques
2013-03-14 10:35 ` [PATCH 28/88] sysctl: fix null checking in bin_dn_node_address() Luis Henriques
2013-03-14 10:35 ` [PATCH 29/88] nbd: fsync and kill block device on shutdown Luis Henriques
2013-03-14 10:35 ` [PATCH 30/88] target/pscsi: Fix page increment Luis Henriques
2013-03-14 10:35 ` [PATCH 31/88] xen/pat: Disable PAT using pat_enabled value Luis Henriques
2013-03-14 10:35 ` [PATCH 32/88] xen/pci: We don't do multiple MSI's Luis Henriques
2013-03-14 10:35 ` [PATCH 33/88] xenbus: fix compile failure on ARM with Xen enabled Luis Henriques
2013-03-14 10:35 ` [PATCH 34/88] dm snapshot: add missing module aliases Luis Henriques
2013-03-14 10:35 ` [PATCH 35/88] ext4: convert number of blocks to clusters properly Luis Henriques
2013-03-14 10:35 ` [PATCH 36/88] ata_piix: reenable MS Virtual PC guests Luis Henriques
2013-03-14 10:35 ` [PATCH 37/88] nfsd: add get_uint for u32's Luis Henriques
2013-03-14 10:35 ` [PATCH 38/88] asus-laptop: Do not call HWRS on init Luis Henriques
2013-03-19  2:49   ` Ben Hutchings
2013-03-14 10:35 ` [PATCH 39/88] ata_piix: IDE-mode SATA patch for Intel Avoton DeviceIDs Luis Henriques
2013-03-14 10:35 ` [PATCH 40/88] ata_piix: Add Device IDs for Intel Wellsburg PCH Luis Henriques
2013-03-14 10:35 ` [PATCH 41/88] ata_piix: Add Device IDs for Intel Lynx Point-LP PCH Luis Henriques
2013-03-14 10:35 ` [PATCH 42/88] exec: use -ELOOP for max recursion depth Luis Henriques
2013-03-19  2:53   ` Ben Hutchings
2013-03-26 20:25     ` Greg Kroah-Hartman [this message]
2013-03-14 10:35 ` [PATCH 43/88] fs: cachefiles: add support for large files in filesystem caching Luis Henriques
2013-03-14 10:35 ` [PATCH 44/88] fuse: don't WARN when nlink is zero Luis Henriques
2013-03-14 10:35 ` [PATCH 45/88] usb hid quirks for Masterkit MA901 usb radio Luis Henriques
2013-03-14 10:35 ` [PATCH 46/88] pstore: Avoid deadlock in panic and emergency-restart path Luis Henriques
2013-03-14 10:35 ` [PATCH 47/88] unbreak automounter support on 64-bit kernel with 32-bit userspace (v2) Luis Henriques
2013-03-14 10:35 ` [PATCH 48/88] vhost: fix length for cross region descriptor Luis Henriques
2013-03-14 10:35 ` [PATCH 49/88] workqueue: consider work function when searching for busy work items Luis Henriques
2013-03-14 10:35 ` [PATCH 50/88] zram: Fix deadlock bug in partial read/write Luis Henriques
2013-03-14 10:35 ` [PATCH 51/88] md: protect against crash upon fsync on ro array Luis Henriques
2013-03-14 10:35 ` [PATCH 52/88] md: fix two bugs when attempting to resize RAID0 array Luis Henriques
2013-03-14 10:35 ` [PATCH 53/88] md: raid0: fix error return from create_stripe_zones Luis Henriques
2013-03-14 10:35 ` [PATCH 54/88] ath9k: fix RSSI dummy marker value Luis Henriques
2013-03-14 10:35 ` [PATCH 55/88] ath9k_htc: fix signal strength handling issues Luis Henriques
2013-03-14 10:35 ` [PATCH 56/88] ath9k_hw: improve reset reliability after errors Luis Henriques
2013-03-14 10:35 ` [PATCH 57/88] mwifiex: correct sleep delay counter Luis Henriques
2013-03-14 10:35 ` [PATCH 58/88] libertas: fix crash for SD8688 Luis Henriques
2013-03-14 10:35 ` [PATCH 59/88] hw_random: make buffer usable in scatterlist Luis Henriques
2013-03-14 10:35 ` [PATCH 60/88] drm/i915: Don't clobber crtc->fb when queue_flip fails Luis Henriques
2013-03-14 10:35 ` [PATCH 61/88] ARM: 7657/1: head: fix swapper and idmap population with LPAE and big-endian Luis Henriques
2013-03-14 10:35 ` [PATCH 62/88] ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit Luis Henriques
2013-03-14 10:35 ` [PATCH 63/88] userns: Stop oopsing in key_change_session_keyring Luis Henriques
2013-03-14 10:35 ` [PATCH 64/88] hwmon: (pmbus/ltc2978) Fix peak attribute handling Luis Henriques
2013-03-14 10:35 ` [PATCH 65/88] hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality Luis Henriques
2013-03-14 10:35 ` [PATCH 66/88] hwmon: (sht15) Check return value of regulator_enable() Luis Henriques
2013-03-19  3:00   ` Ben Hutchings
2013-03-19 11:50     ` Luis Henriques
2013-03-14 10:36 ` [PATCH 67/88] random: fix locking dependency with the tasklist_lock Luis Henriques
2013-03-14 10:36 ` [PATCH 68/88] ALSA: vmaster: Fix slave change notification Luis Henriques
2013-03-14 10:36 ` [PATCH 69/88] ALSA: ice1712: Initialize card->private_data properly Luis Henriques
2013-03-14 10:36 ` [PATCH 70/88] drm/radeon: add primary dac adj quirk for R200 board Luis Henriques
2013-03-14 10:36 ` [PATCH 71/88] dmi_scan: fix missing check for _DMI_ signature in smbios_present() Luis Henriques
2013-03-14 10:36 ` [PATCH 72/88] Btrfs: account for orphan inodes properly during cleanup Luis Henriques
2013-03-14 10:36 ` [PATCH 73/88] HID: logitech-dj: do not directly call hid_output_raw_report() during probe Luis Henriques
2013-03-14 10:36 ` [PATCH 74/88] ftrace: Update the kconfig for DYNAMIC_FTRACE Luis Henriques
2013-03-14 10:36 ` [PATCH 75/88] e1000e: fix pci-device enable-counter balance Luis Henriques
2013-03-14 10:36 ` [PATCH 76/88] Fix memory leak in cpufreq stats Luis Henriques
2013-03-14 10:36 ` [PATCH 77/88] Btrfs: fix panic when recovering tree log Luis Henriques
2013-03-14 10:36 ` [PATCH 78/88] xen/pciback: Don't disable a PCI device that is already disabled Luis Henriques
2013-03-14 10:36 ` [PATCH 79/88] keys: fix race with concurrent install_user_keyrings() Luis Henriques
2013-03-14 10:36 ` [PATCH 80/88] vfs: fix pipe counter breakage Luis Henriques
2013-03-14 10:36 ` [PATCH 81/88] crypto: user - fix info leaks in report API Luis Henriques
2013-03-14 10:36   ` Luis Henriques
2013-03-14 10:36 ` [PATCH 82/88] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Luis Henriques
2013-03-14 10:36 ` [PATCH 83/88] drm/i915: Increase the RC6p threshold Luis Henriques
2013-03-14 10:36 ` [PATCH 84/88] USB: Handle warm reset failure on empty port Luis Henriques
2013-03-14 10:36 ` [PATCH 85/88] USB: Don't use EHCI port sempahore for USB 3.0 hubs Luis Henriques
2013-03-14 10:36 ` [PATCH 86/88] USB: Prepare for refactoring by adding extra udev checks Luis Henriques
2013-03-14 10:36 ` [PATCH 87/88] USB: Rip out recursive call on warm port reset Luis Henriques
2013-03-14 10:36 ` [PATCH 88/88] USB: Fix connected device switch to Inactive state Luis Henriques

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130326202504.GE21624@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=ben@decadent.org.uk \
    --cc=keescook@chromium.org \
    --cc=kernel-team@lists.ubuntu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luis.henriques@canonical.com \
    --cc=me@halfdog.net \
    --cc=ppandit@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.