exec: use -ELOOP for max recursion depth
To avoid an explosion of request_module calls on a chain of abusive scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon as maximum recursion depth is hit, the error will fail all the way back up the chain, aborting immediately. This also has the side-effect of stopping the user's shell from attempting to reexecute the top-level file as a shell script. As seen in the dash source: if (cmd != path_bshell && errno == ENOEXEC) { *argv-- = cmd; *argv = cmd = path_bshell; goto repeat; } The above logic was designed for running scripts automatically that lacked the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC, things continue to behave as the shell expects. Additionally, when tracking recursion, the binfmt handlers should not be involved. The recursion being tracked is the depth of calls through search_binary_handler(), so that function should be exclusively responsible for tracking the depth. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: halfdog <me@halfdog.net> Cc: P J P <ppandit@redhat.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
8d238027b8
commit
d740269867
@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm)
|
||||
return -ENOEXEC;
|
||||
}
|
||||
|
||||
bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
|
||||
allow_write_access(bprm->file);
|
||||
fput(bprm->file);
|
||||
bprm->file = NULL;
|
||||
|
@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm)
|
||||
if (!enabled)
|
||||
goto _ret;
|
||||
|
||||
retval = -ENOEXEC;
|
||||
if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
|
||||
goto _ret;
|
||||
|
||||
/* to keep locking time low, we copy the interpreter string */
|
||||
read_lock(&entries_lock);
|
||||
fmt = check_file(bprm);
|
||||
@ -197,8 +193,6 @@ static int load_misc_binary(struct linux_binprm *bprm)
|
||||
if (retval < 0)
|
||||
goto _error;
|
||||
|
||||
bprm->recursion_depth++;
|
||||
|
||||
retval = search_binary_handler(bprm);
|
||||
if (retval < 0)
|
||||
goto _error;
|
||||
|
@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm)
|
||||
char interp[BINPRM_BUF_SIZE];
|
||||
int retval;
|
||||
|
||||
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
|
||||
(bprm->recursion_depth > BINPRM_MAX_RECURSION))
|
||||
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
|
||||
return -ENOEXEC;
|
||||
/*
|
||||
* This section does the #! interpretation.
|
||||
* Sorta complicated, but hopefully it will work. -TYT
|
||||
*/
|
||||
|
||||
bprm->recursion_depth++;
|
||||
allow_write_access(bprm->file);
|
||||
fput(bprm->file);
|
||||
bprm->file = NULL;
|
||||
|
10
fs/exec.c
10
fs/exec.c
@ -1356,6 +1356,10 @@ int search_binary_handler(struct linux_binprm *bprm)
|
||||
struct linux_binfmt *fmt;
|
||||
pid_t old_pid, old_vpid;
|
||||
|
||||
/* This allows 4 levels of binfmt rewrites before failing hard. */
|
||||
if (depth > 5)
|
||||
return -ELOOP;
|
||||
|
||||
retval = security_bprm_check(bprm);
|
||||
if (retval)
|
||||
return retval;
|
||||
@ -1380,12 +1384,8 @@ int search_binary_handler(struct linux_binprm *bprm)
|
||||
if (!try_module_get(fmt->module))
|
||||
continue;
|
||||
read_unlock(&binfmt_lock);
|
||||
bprm->recursion_depth = depth + 1;
|
||||
retval = fn(bprm);
|
||||
/*
|
||||
* Restore the depth counter to its starting value
|
||||
* in this call, so we don't have to rely on every
|
||||
* load_binary function to restore it on return.
|
||||
*/
|
||||
bprm->recursion_depth = depth;
|
||||
if (retval >= 0) {
|
||||
if (depth == 0) {
|
||||
|
@ -54,8 +54,6 @@ struct linux_binprm {
|
||||
#define BINPRM_FLAGS_EXECFD_BIT 1
|
||||
#define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
|
||||
|
||||
#define BINPRM_MAX_RECURSION 4
|
||||
|
||||
/* Function parameter for binfmt->coredump */
|
||||
struct coredump_params {
|
||||
siginfo_t *siginfo;
|
||||
|
Loading…
Reference in New Issue
Block a user