diff options
Diffstat (limited to 'exec-use-eloop-for-max-recursion-depth.patch')
| -rw-r--r-- | exec-use-eloop-for-max-recursion-depth.patch | 144 |
1 files changed, 0 insertions, 144 deletions
diff --git a/exec-use-eloop-for-max-recursion-depth.patch b/exec-use-eloop-for-max-recursion-depth.patch deleted file mode 100644 index a3c48884f..000000000 --- a/exec-use-eloop-for-max-recursion-depth.patch +++ /dev/null @@ -1,144 +0,0 @@ -From ba1b23d05259e31d30a78017cdfbc010dcb08aa6 Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Mon, 26 Nov 2012 09:02:11 -0500 -Subject: [PATCH 2/2] exec: use -ELOOP for max recursion depth - -To avoid an explosion of request_module calls on a chain of abusive -scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon -as maximum recursion depth is hit, the error will fail all the way back -up the chain, aborting immediately. - -This also has the side-effect of stopping the user's shell from attempting -to reexecute the top-level file as a shell script. As seen in the -dash source: - - if (cmd != path_bshell && errno == ENOEXEC) { - *argv-- = cmd; - *argv = cmd = path_bshell; - goto repeat; - } - -The above logic was designed for running scripts automatically that lacked -the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC, -things continue to behave as the shell expects. - -Additionally, when tracking recursion, the binfmt handlers should not be -involved. The recursion being tracked is the depth of calls through -search_binary_handler(), so that function should be exclusively responsible -for tracking the depth. - -Signed-off-by: Kees Cook <keescook@chromium.org> -Cc: halfdog <me@halfdog.net> -Cc: P J P <ppandit@redhat.com> -Cc: Alexander Viro <viro@zeniv.linux.org.uk> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> ---- - fs/binfmt_em86.c | 1 - - fs/binfmt_misc.c | 6 ------ - fs/binfmt_script.c | 4 +--- - fs/exec.c | 10 +++++----- - include/linux/binfmts.h | 2 -- - 5 files changed, 6 insertions(+), 17 deletions(-) - -diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c -index 2790c7e..575796a 100644 ---- a/fs/binfmt_em86.c -+++ b/fs/binfmt_em86.c -@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs) - return -ENOEXEC; - } - -- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */ - allow_write_access(bprm->file); - fput(bprm->file); - bprm->file = NULL; -diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c -index 772428d..f0f1a06 100644 ---- a/fs/binfmt_misc.c -+++ b/fs/binfmt_misc.c -@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) - if (!enabled) - goto _ret; - -- retval = -ENOEXEC; -- if (bprm->recursion_depth > BINPRM_MAX_RECURSION) -- goto _ret; -- - /* to keep locking time low, we copy the interpreter string */ - read_lock(&entries_lock); - fmt = check_file(bprm); -@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs) - if (retval < 0) - goto _error; - -- bprm->recursion_depth++; -- - retval = search_binary_handler (bprm, regs); - if (retval < 0) - goto _error; -diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c -index df49d48..8ae4be1 100644 ---- a/fs/binfmt_script.c -+++ b/fs/binfmt_script.c -@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs) - char interp[BINPRM_BUF_SIZE]; - int retval; - -- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || -- (bprm->recursion_depth > BINPRM_MAX_RECURSION)) -+ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) - return -ENOEXEC; - /* - * This section does the #! interpretation. - * Sorta complicated, but hopefully it will work. -TYT - */ - -- bprm->recursion_depth++; - allow_write_access(bprm->file); - fput(bprm->file); - bprm->file = NULL; -diff --git a/fs/exec.c b/fs/exec.c -index c6e6de4..85c1f9e 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -1371,6 +1371,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) - struct linux_binfmt *fmt; - pid_t old_pid, old_vpid; - -+ /* This allows 4 levels of binfmt rewrites before failing hard. */ -+ if (depth > 5) -+ return -ELOOP; -+ - retval = security_bprm_check(bprm); - if (retval) - return retval; -@@ -1395,12 +1399,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) - if (!try_module_get(fmt->module)) - continue; - read_unlock(&binfmt_lock); -+ bprm->recursion_depth = depth + 1; - retval = fn(bprm, regs); -- /* -- * Restore the depth counter to its starting value -- * in this call, so we don't have to rely on every -- * load_binary function to restore it on return. -- */ - bprm->recursion_depth = depth; - if (retval >= 0) { - if (depth == 0) { -diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index de0628e..54135f6 100644 ---- a/include/linux/binfmts.h -+++ b/include/linux/binfmts.h -@@ -54,8 +54,6 @@ struct linux_binprm { - #define BINPRM_FLAGS_EXECFD_BIT 1 - #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT) - --#define BINPRM_MAX_RECURSION 4 -- - /* Function parameter for binfmt->coredump */ - struct coredump_params { - siginfo_t *siginfo; --- -1.8.0 - |