From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
halfdog <me@halfdog.net>, P J P <ppandit@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [ 70/72] exec: use -ELOOP for max recursion depth
Date: Tue, 26 Mar 2013 15:51:53 -0700 [thread overview]
Message-ID: <20130326224926.865560953@linuxfoundation.org> (raw)
In-Reply-To: <20130326224919.675227837@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit d740269867021faf4ce38a449353d2b986c34a67 upstream.
To avoid an explosion of request_module calls on a chain of abusive
scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
as maximum recursion depth is hit, the error will fail all the way back
up the chain, aborting immediately.
This also has the side-effect of stopping the user's shell from attempting
to reexecute the top-level file as a shell script. As seen in the
dash source:
if (cmd != path_bshell && errno == ENOEXEC) {
*argv-- = cmd;
*argv = cmd = path_bshell;
goto repeat;
}
The above logic was designed for running scripts automatically that lacked
the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
things continue to behave as the shell expects.
Additionally, when tracking recursion, the binfmt handlers should not be
involved. The recursion being tracked is the depth of calls through
search_binary_handler(), so that function should be exclusively responsible
for tracking the depth.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_em86.c | 1 -
fs/binfmt_misc.c | 6 ------
fs/binfmt_script.c | 4 +---
fs/exec.c | 10 +++++-----
include/linux/binfmts.h | 2 --
5 files changed, 6 insertions(+), 17 deletions(-)
--- a/fs/binfmt_em86.c
+++ b/fs/binfmt_em86.c
@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm
return -ENOEXEC;
}
- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux
if (!enabled)
goto _ret;
- retval = -ENOEXEC;
- if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
- goto _ret;
-
/* to keep locking time low, we copy the interpreter string */
read_lock(&entries_lock);
fmt = check_file(bprm);
@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux
if (retval < 0)
goto _error;
- bprm->recursion_depth++;
-
retval = search_binary_handler (bprm, regs);
if (retval < 0)
goto _error;
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -22,15 +22,13 @@ static int load_script(struct linux_binp
char interp[BINPRM_BUF_SIZE];
int retval;
- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
- (bprm->recursion_depth > BINPRM_MAX_RECURSION))
+ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
return -ENOEXEC;
/*
* This section does the #! interpretation.
* Sorta complicated, but hopefully it will work. -TYT
*/
- bprm->recursion_depth++;
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1389,6 +1389,10 @@ int search_binary_handler(struct linux_b
struct linux_binfmt *fmt;
pid_t old_pid, old_vpid;
+ /* This allows 4 levels of binfmt rewrites before failing hard. */
+ if (depth > 5)
+ return -ELOOP;
+
retval = security_bprm_check(bprm);
if (retval)
return retval;
@@ -1413,12 +1417,8 @@ int search_binary_handler(struct linux_b
if (!try_module_get(fmt->module))
continue;
read_unlock(&binfmt_lock);
+ bprm->recursion_depth = depth + 1;
retval = fn(bprm, regs);
- /*
- * Restore the depth counter to its starting value
- * in this call, so we don't have to rely on every
- * load_binary function to restore it on return.
- */
bprm->recursion_depth = depth;
if (retval >= 0) {
if (depth == 0) {
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -68,8 +68,6 @@ struct linux_binprm {
#define BINPRM_FLAGS_EXECFD_BIT 1
#define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
-#define BINPRM_MAX_RECURSION 4
-
/* Function parameter for binfmt->coredump */
struct coredump_params {
long signr;
next prev parent reply other threads:[~2013-03-26 22:52 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-26 22:50 [ 00/72] 3.4.38-stable review Greg Kroah-Hartman
2013-03-26 22:50 ` [ 01/72] Revert "USB: EHCI: dont check DMA values in QH overlays" Greg Kroah-Hartman
2013-03-26 22:50 ` [ 02/72] sunsu: Fix panic in case of nonexistent port at "console=ttySY" cmdline option Greg Kroah-Hartman
2013-03-26 22:50 ` [ 03/72] net/ipv4: Ensure that location of timestamp option is stored Greg Kroah-Hartman
2013-03-26 22:50 ` [ 04/72] netconsole: dont call __netpoll_cleanup() while atomic Greg Kroah-Hartman
2013-03-26 22:50 ` [ 05/72] bonding: dont call update_speed_duplex() under spinlocks Greg Kroah-Hartman
2013-03-26 22:50 ` [ 06/72] tg3: 5715 does not link up when autoneg off Greg Kroah-Hartman
2013-03-26 22:50 ` [ 07/72] sctp: Use correct sideffect command in duplicate cookie handling Greg Kroah-Hartman
2013-03-26 22:50 ` [ 08/72] sctp: dont break the loop while meeting the active_path so as to find the matched transport Greg Kroah-Hartman
2013-03-26 22:50 ` [ 09/72] ipv4: fix definition of FIB_TABLE_HASHSZ Greg Kroah-Hartman
2013-03-26 22:50 ` [ 10/72] tcp: fix skb_availroom() Greg Kroah-Hartman
2013-03-26 22:50 ` [ 11/72] rtnetlink: Mask the rta_type when range checking Greg Kroah-Hartman
2013-03-26 22:50 ` [ 12/72] vhost/net: fix heads usage of ubuf_info Greg Kroah-Hartman
2013-03-26 22:50 ` [ 13/72] bnx2x: fix occasional statistics off-by-4GB error Greg Kroah-Hartman
2013-03-26 22:50 ` [ 14/72] inet: limit length of fragment queue hash table bucket lists Greg Kroah-Hartman
2013-03-26 22:50 ` [ 15/72] sfc: Do not attempt to flush queues if DMA is disabled Greg Kroah-Hartman
2013-03-26 22:50 ` [ 16/72] sfc: Convert firmware subtypes to native byte order in efx_mcdi_get_board_cfg() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 17/72] sfc: Add parentheses around use of bitfield macro arguments Greg Kroah-Hartman
2013-03-26 22:51 ` [ 18/72] sfc: Fix MCDI structure field lookup Greg Kroah-Hartman
2013-03-26 22:51 ` [ 19/72] sfc: Really disable flow control while flushing Greg Kroah-Hartman
2013-03-26 22:51 ` [ 20/72] sfc: Work-around flush timeout when flushes have completed Greg Kroah-Hartman
2013-03-26 22:51 ` [ 21/72] sfc: lock TX queues when calling netif_device_detach() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 22/72] sfc: Fix timekeeping in efx_mcdi_poll() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 23/72] sfc: Disable VF queues during register self-test Greg Kroah-Hartman
2013-03-26 22:51 ` [ 24/72] sfc: Avoid generating over-length MC_CMD_FLUSH_RX_QUEUES request Greg Kroah-Hartman
2013-03-26 22:51 ` [ 25/72] sfc: Correctly initialise reset_method in siena_test_chip() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 26/72] sfc: Properly sync RX DMA buffer when it is not the last in the page Greg Kroah-Hartman
2013-03-26 22:51 ` [ 27/72] sfc: Fix efx_rx_buf_offset() in the presence of swiotlb Greg Kroah-Hartman
2013-03-26 22:51 ` [ 28/72] sfc: Detach net device when stopping queues for reconfiguration Greg Kroah-Hartman
2013-03-26 22:51 ` [ 29/72] sfc: Disable soft interrupt handling during efx_device_detach_sync() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 30/72] sfc: Only use TX push if a single descriptor is to be written Greg Kroah-Hartman
2013-03-26 22:51 ` [ 31/72] ALSA: hda/cirrus - Fix the digital beep registration Greg Kroah-Hartman
2013-03-26 22:51 ` [ 32/72] ALSA: hda - Fix typo in checking IEC958 emphasis bit Greg Kroah-Hartman
2013-03-26 22:51 ` [ 33/72] ALSA: snd-usb: mixer: propagate errors up the call chain Greg Kroah-Hartman
2013-03-26 22:51 ` [ 34/72] ALSA: snd-usb: mixer: ignore -EINVAL in snd_usb_mixer_controls() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 35/72] drm/i915: restrict kernel address leak in debugfs Greg Kroah-Hartman
2013-03-26 22:51 ` [ 36/72] tracing: Fix race in snapshot swapping Greg Kroah-Hartman
2013-03-26 22:51 ` [ 37/72] tracing: Fix free of probe entry by calling call_rcu_sched() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 38/72] rtlwifi: rtl8192cu: Fix schedule while atomic bug splat Greg Kroah-Hartman
2013-03-26 22:51 ` [ 39/72] rtlwifi: rtl8192cu: Fix problem that prevents reassociation Greg Kroah-Hartman
2013-03-26 22:51 ` [ 40/72] mwifiex: fix potential out-of-boundary access to ibss rate table Greg Kroah-Hartman
2013-03-26 22:51 ` [ 41/72] drm/i915: bounds check execbuffer relocation count Greg Kroah-Hartman
2013-03-26 22:51 ` [ 42/72] KMS: fix EDID detailed timing vsync parsing Greg Kroah-Hartman
2013-03-26 22:51 ` [ 43/72] KMS: fix EDID detailed timing frame rate Greg Kroah-Hartman
2013-03-26 22:51 ` [ 44/72] mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting Greg Kroah-Hartman
2013-03-26 22:51 ` [ 45/72] target/iscsi: Fix mutual CHAP auth on big-endian arches Greg Kroah-Hartman
2013-03-26 22:51 ` [ 46/72] drm/radeon: add Richland pci ids Greg Kroah-Hartman
2013-03-26 22:51 ` [ 47/72] drm/radeon: add support for Richland APUs Greg Kroah-Hartman
2013-03-26 22:51 ` [ 48/72] drm/radeon/benchmark: make sure bo blit copy exists before using it Greg Kroah-Hartman
2013-03-26 22:51 ` [ 49/72] cifs: ignore everything in SPNEGO blob after mechTypes Greg Kroah-Hartman
2013-03-26 22:51 ` [ 50/72] jbd2: fix use after free in jbd2_journal_dirty_metadata() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 51/72] ext4: fix the wrong number of the allocated blocks in ext4_split_extent() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 52/72] usb-storage: add unusual_devs entry for Samsung YP-Z3 mp3 player Greg Kroah-Hartman
2013-03-26 22:51 ` [ 53/72] ext4: fix data=journal fast mount/umount hang Greg Kroah-Hartman
2013-03-26 22:51 ` [ 54/72] IPoIB: Fix send lockup due to missed TX completion Greg Kroah-Hartman
2013-03-26 22:51 ` [ 55/72] clockevents: Dont allow dummy broadcast timers Greg Kroah-Hartman
2013-03-26 22:51 ` [ 56/72] x86-64: Fix the failure case in copy_user_handle_tail() Greg Kroah-Hartman
2013-03-26 22:51 ` [ 57/72] USB: xhci - fix bit definitions for IMAN register Greg Kroah-Hartman
2013-03-26 22:51 ` [ 58/72] USB: xhci: correctly enable interrupts Greg Kroah-Hartman
2013-03-26 22:51 ` [ 59/72] USB: cdc-acm: fix device unregistration Greg Kroah-Hartman
2013-03-26 22:51 ` [ 60/72] USB: serial: fix interface refcounting Greg Kroah-Hartman
2013-03-26 22:51 ` [ 61/72] nohz: Make tick_nohz_irq_exit() irq safe Greg Kroah-Hartman
2013-03-26 22:51 ` [ 62/72] udf: Fix bitmap overflow on large filesystems with small block size Greg Kroah-Hartman
2013-03-26 22:51 ` [ 63/72] USB: garmin_gps: fix memory leak on disconnect Greg Kroah-Hartman
2013-03-26 22:51 ` [ 64/72] USB: io_ti: fix get_icount for two port adapters Greg Kroah-Hartman
2013-03-26 22:51 ` [ 65/72] key: Fix resource leak Greg Kroah-Hartman
2013-03-26 22:51 ` [ 66/72] isofs: avoid info leak on export Greg Kroah-Hartman
2013-03-26 22:51 ` [ 67/72] udf: " Greg Kroah-Hartman
2013-03-26 22:51 ` [ 68/72] tools: hv: Netlink source address validation allows DoS Greg Kroah-Hartman
2013-03-26 22:51 ` [ 69/72] i915: initialize CADL in opregion Greg Kroah-Hartman
2013-03-26 22:51 ` Greg Kroah-Hartman [this message]
2013-03-26 22:51 ` [ 71/72] rt2x00: error in configurations with mesh support disabled Greg Kroah-Hartman
2013-03-26 22:51 ` [ 72/72] asus-laptop: Do not call HWRS on init Greg Kroah-Hartman
2013-03-27 18:33 ` [ 00/72] 3.4.38-stable review Shuah Khan
2013-03-27 18:33 ` Shuah Khan
2013-03-28 14:17 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130326224926.865560953@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@halfdog.net \
--cc=ppandit@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.