* Re: [PATCH] binfmt_misc.c: avoid potential kernel stack overflow [not found] <20080818112849.GA4951@localhost.localdomain> @ 2008-08-18 14:09 ` Pavel Emelyanov 2008-08-18 14:44 ` Kirill A. Shutemov 2008-08-18 23:20 ` Andrew Morton 0 siblings, 2 replies; 5+ messages in thread From: Pavel Emelyanov @ 2008-08-18 14:09 UTC (permalink / raw) To: Kirill A. Shutemov Cc: Linux Kernel Mailing List, Andrew Morton, Linus Torvalds (Put lkml in Cc. The original message is beyond) Oops! My fault. The problem is that in case of modularized binfmt, the appropriate binary handler gets registered _before_ the script one and sets the misc_bang flag even too early. Thus when we launch a script the load_misc_binary sets this bang, then returns error, since the binary is actually a script, then the load_script_binary successfully loads the script, then it loads the misc binary again, which exits with the -ENOEXEC error due to bang set. This patch helped my box, what about yours? diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c index 7562053..8d7e88e 100644 --- a/fs/binfmt_misc.c +++ b/fs/binfmt_misc.c @@ -120,8 +120,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) if (bprm->misc_bang) goto _ret; - bprm->misc_bang = 1; - /* to keep locking time low, we copy the interpreter string */ read_lock(&entries_lock); fmt = check_file(bprm); @@ -199,6 +197,8 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) if (retval < 0) goto _error; + bprm->misc_bang = 1; + retval = search_binary_handler (bprm, regs); if (retval < 0) goto _error; > On Tue, Apr 29, 2008 at 12:59:24AM -0700, Pavel Emelyanov wrote: >> This can be triggered with root help only, but... >> >> Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and >> try launching the cat.txt file (by anyone) :) The result is - the endless >> recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and >> stack overflow. >> >> There's a similar problem with binfmt_script, and there's a sh_bang memner on >> linux_binprm structure to handle this, but simply raising this in binfmt_misc >> may break some setups when the interpreter of some misc binaries is a script. >> >> So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) >> and raise it in load_misc_binary. After this, even if we set up the misc -> >> script -> misc loop for binfmts one of them will step on its own bang and >> exit. > > This patch causes problem in some cases, if the kernel compiled with > CONFIG_BINFMT_MISC=m: > > $ pwd > /tmp/chroot > $ cat test0.c > #include <stdio.h> > > int main(void) > { > printf("test\n"); > return 0; > } > $ gcc test0.c -o test0 -static > $ sudo sh -c 'echo ":test:M::123::/test0:" > /proc/sys/fs/binfmt_misc/register' > $ cat test1 > 123 > $ cat test2 > #!/test1 > $ sudo chroot /tmp/chroot /test2 > chroot: cannot run command `/test2': No such file or directory > $ sudo strace chroot /tmp/chroot /test2 > ... > execve("/test2", ["/test2"], [/* 54 vars */]) = -1 ENOEXEC (Exec format error) > ... > > This test works fine if I revert the patch or compile with CONFIG_BINFMT_MISC=y. > ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] binfmt_misc.c: avoid potential kernel stack overflow 2008-08-18 14:09 ` [PATCH] binfmt_misc.c: avoid potential kernel stack overflow Pavel Emelyanov @ 2008-08-18 14:44 ` Kirill A. Shutemov 2008-08-18 14:51 ` Kirill A. Shutemov 2008-08-18 23:20 ` Andrew Morton 1 sibling, 1 reply; 5+ messages in thread From: Kirill A. Shutemov @ 2008-08-18 14:44 UTC (permalink / raw) To: Pavel Emelyanov; +Cc: Linux Kernel Mailing List, Andrew Morton, Linus Torvalds [-- Attachment #1: Type: text/plain, Size: 1192 bytes --] On Mon, Aug 18, 2008 at 06:09:23PM +0400, Pavel Emelyanov wrote: > (Put lkml in Cc. The original message is beyond) > > Oops! My fault. The problem is that in case of modularized binfmt, > the appropriate binary handler gets registered _before_ the script > one and sets the misc_bang flag even too early. > > Thus when we launch a script the load_misc_binary sets this bang, > then returns error, since the binary is actually a script, then the > load_script_binary successfully loads the script, then it loads the > misc binary again, which exits with the -ENOEXEC error due to bang > set. > > This patch helped my box, what about yours? It works. Thank you. Reported-and-tested-by: Kirill A. Shutemov <kirill@shutemov.name> I have noticed yet another problem: more than one bit of sh_bang can be used on alpha: fs/exec.c 1189 return retval; 1190 1191 /* Remember if the application is TASO. */ 1192 bprm->sh_bang = eh->ah.entry < 0x100000000UL; 1193 1194 bprm->file = file; -- Regards, Kirill A. Shutemov + Belarus, Minsk + ALT Linux Team, http://www.altlinux.com/ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] binfmt_misc.c: avoid potential kernel stack overflow 2008-08-18 14:44 ` Kirill A. Shutemov @ 2008-08-18 14:51 ` Kirill A. Shutemov 0 siblings, 0 replies; 5+ messages in thread From: Kirill A. Shutemov @ 2008-08-18 14:51 UTC (permalink / raw) To: Pavel Emelyanov; +Cc: Linux Kernel Mailing List, Andrew Morton, Linus Torvalds [-- Attachment #1: Type: text/plain, Size: 579 bytes --] On Mon, Aug 18, 2008 at 05:44:19PM +0300, Kirill A. Shutemov wrote: > I have noticed yet another problem: more than one bit of sh_bang can be > used on alpha: > > fs/exec.c > 1189 return retval; > 1190 > 1191 /* Remember if the application is TASO. */ > 1192 bprm->sh_bang = eh->ah.entry < 0x100000000UL; > 1193 > 1194 bprm->file = file; Sorry. Please ignore this part of the message. %) -- Regards, Kirill A. Shutemov + Belarus, Minsk + ALT Linux Team, http://www.altlinux.com/ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 197 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] binfmt_misc.c: avoid potential kernel stack overflow 2008-08-18 14:09 ` [PATCH] binfmt_misc.c: avoid potential kernel stack overflow Pavel Emelyanov 2008-08-18 14:44 ` Kirill A. Shutemov @ 2008-08-18 23:20 ` Andrew Morton 2008-08-19 10:08 ` Pavel Emelyanov 1 sibling, 1 reply; 5+ messages in thread From: Andrew Morton @ 2008-08-18 23:20 UTC (permalink / raw) To: Pavel Emelyanov; +Cc: kirill, linux-kernel, torvalds On Mon, 18 Aug 2008 18:09:23 +0400 Pavel Emelyanov <xemul@openvz.org> wrote: > (Put lkml in Cc. The original message is beyond) > > Oops! My fault. The problem is that in case of modularized binfmt, > the appropriate binary handler gets registered _before_ the script > one and sets the misc_bang flag even too early. > > Thus when we launch a script the load_misc_binary sets this bang, > then returns error, since the binary is actually a script, then the > load_script_binary successfully loads the script, then it loads the > misc binary again, which exits with the -ENOEXEC error due to bang > set. > > This patch helped my box, what about yours? > > diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c > index 7562053..8d7e88e 100644 > --- a/fs/binfmt_misc.c > +++ b/fs/binfmt_misc.c > @@ -120,8 +120,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) > if (bprm->misc_bang) > goto _ret; > > - bprm->misc_bang = 1; > - > /* to keep locking time low, we copy the interpreter string */ > read_lock(&entries_lock); > fmt = check_file(bprm); > @@ -199,6 +197,8 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) > if (retval < 0) > goto _error; > > + bprm->misc_bang = 1; > + > retval = search_binary_handler (bprm, regs); > if (retval < 0) > goto _error; <scrabble, hunt> I put together the below description. It has no signed-off-by: (yet). Has this been sufficiently well tested and checked to be in a merge-ready state? Thanks. From: Pavel Emelyanov <xemul@openvz.org> Fix a regression introduced by 3a2e7f47d71e1df86acc1dda6826890b6546a4e1 ("binfmt_misc.c: avoid potential kernel stack overflow"). In the case of modularized binfmt, the appropriate binary handler gets registered _before_ the script one and sets the misc_bang flag even too early. Thus when we launch a script the load_misc_binary sets this bang, then returns error, since the binary is actually a script, then the load_script_binary successfully loads the script, then it loads the misc binary again, which exits with the -ENOEXEC error due to bang set. Reported-and-tested-by: Kirill A. Shutemov <kirill@shutemov.name> Cc: <stable@kernel.org> [2.6.26.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> --- fs/binfmt_misc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff -puN fs/binfmt_misc.c~binfmt_miscc-avoid-potential-kernel-stack-overflow fs/binfmt_misc.c --- a/fs/binfmt_misc.c~binfmt_miscc-avoid-potential-kernel-stack-overflow +++ a/fs/binfmt_misc.c @@ -120,8 +120,6 @@ static int load_misc_binary(struct linux if (bprm->misc_bang) goto _ret; - bprm->misc_bang = 1; - /* to keep locking time low, we copy the interpreter string */ read_lock(&entries_lock); fmt = check_file(bprm); @@ -199,6 +197,8 @@ static int load_misc_binary(struct linux if (retval < 0) goto _error; + bprm->misc_bang = 1; + retval = search_binary_handler (bprm, regs); if (retval < 0) goto _error; _ ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] binfmt_misc.c: avoid potential kernel stack overflow 2008-08-18 23:20 ` Andrew Morton @ 2008-08-19 10:08 ` Pavel Emelyanov 0 siblings, 0 replies; 5+ messages in thread From: Pavel Emelyanov @ 2008-08-19 10:08 UTC (permalink / raw) To: Andrew Morton; +Cc: kirill, linux-kernel, torvalds Andrew Morton wrote: > On Mon, 18 Aug 2008 18:09:23 +0400 > Pavel Emelyanov <xemul@openvz.org> wrote: > >> (Put lkml in Cc. The original message is beyond) >> >> Oops! My fault. The problem is that in case of modularized binfmt, >> the appropriate binary handler gets registered _before_ the script >> one and sets the misc_bang flag even too early. >> >> Thus when we launch a script the load_misc_binary sets this bang, >> then returns error, since the binary is actually a script, then the >> load_script_binary successfully loads the script, then it loads the >> misc binary again, which exits with the -ENOEXEC error due to bang >> set. >> >> This patch helped my box, what about yours? >> >> diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c >> index 7562053..8d7e88e 100644 >> --- a/fs/binfmt_misc.c >> +++ b/fs/binfmt_misc.c >> @@ -120,8 +120,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) >> if (bprm->misc_bang) >> goto _ret; >> >> - bprm->misc_bang = 1; >> - >> /* to keep locking time low, we copy the interpreter string */ >> read_lock(&entries_lock); >> fmt = check_file(bprm); >> @@ -199,6 +197,8 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) >> if (retval < 0) >> goto _error; >> >> + bprm->misc_bang = 1; >> + >> retval = search_binary_handler (bprm, regs); >> if (retval < 0) >> goto _error; > > <scrabble, hunt> > > I put together the below description. It has no signed-off-by: (yet). Well, sorry for that, I just wanted to get the Kirill's approval of the fix, while testing other things myself. I sent the properly formatted patch later. So can you, please, pick the comment and/or subject from that one (which is a bit less messy, I think)? > Has this been sufficiently well tested and checked to be in a merge-ready > state? I have checked different combinations, so I believe it has. > Thanks. Thanks, Pavel ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-08-19 10:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20080818112849.GA4951@localhost.localdomain>
2008-08-18 14:09 ` [PATCH] binfmt_misc.c: avoid potential kernel stack overflow Pavel Emelyanov
2008-08-18 14:44 ` Kirill A. Shutemov
2008-08-18 14:51 ` Kirill A. Shutemov
2008-08-18 23:20 ` Andrew Morton
2008-08-19 10:08 ` Pavel Emelyanov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox