diff options
| author | Kees Cook <keescook@chromium.org> | 2012-12-06 17:00:21 +1100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2013-03-06 03:24:28 +0000 |
| commit | 511d07bc0a060049009954eeb8b34eda016c9c0e (patch) | |
| tree | 308c616503dae50080aa6009280124828fc46fca /fs/exec.c | |
| parent | d0820f8020fa87d9e0433b062fca2b7206e0cd11 (diff) | |
| download | linux-rt-511d07bc0a060049009954eeb8b34eda016c9c0e.tar.gz | |
exec: use -ELOOP for max recursion depth
commit d740269867021faf4ce38a449353d2b986c34a67 upstream.
To avoid an explosion of request_module calls on a chain of abusive
scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
as maximum recursion depth is hit, the error will fail all the way back
up the chain, aborting immediately.
This also has the side-effect of stopping the user's shell from attempting
to reexecute the top-level file as a shell script. As seen in the
dash source:
if (cmd != path_bshell && errno == ENOEXEC) {
*argv-- = cmd;
*argv = cmd = path_bshell;
goto repeat;
}
The above logic was designed for running scripts automatically that lacked
the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
things continue to behave as the shell expects.
Additionally, when tracking recursion, the binfmt handlers should not be
involved. The recursion being tracked is the depth of calls through
search_binary_handler(), so that function should be exclusively responsible
for tracking the depth.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'fs/exec.c')
| -rw-r--r-- | fs/exec.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/fs/exec.c b/fs/exec.c index c27fa0d7f534..312e297c4871 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1385,6 +1385,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) struct linux_binfmt *fmt; pid_t old_pid; + /* This allows 4 levels of binfmt rewrites before failing hard. */ + if (depth > 5) + return -ELOOP; + retval = security_bprm_check(bprm); if (retval) return retval; @@ -1408,12 +1412,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) if (!try_module_get(fmt->module)) continue; read_unlock(&binfmt_lock); + bprm->recursion_depth = depth + 1; retval = fn(bprm, regs); - /* - * Restore the depth counter to its starting value - * in this call, so we don't have to rely on every - * load_binary function to restore it on return. - */ bprm->recursion_depth = depth; if (retval >= 0) { if (depth == 0) |