Commit d7402698 authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds

exec: use -ELOOP for max recursion depth

To avoid an explosion of request_module calls on a chain of abusive
scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
as maximum recursion depth is hit, the error will fail all the way back
up the chain, aborting immediately.

This also has the side-effect of stopping the user's shell from attempting
to reexecute the top-level file as a shell script. As seen in the
dash source:

        if (cmd != path_bshell && errno == ENOEXEC) {
                *argv-- = cmd;
                *argv = cmd = path_bshell;
                goto repeat;
        }

The above logic was designed for running scripts automatically that lacked
the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
things continue to behave as the shell expects.

Additionally, when tracking recursion, the binfmt handlers should not be
involved. The recursion being tracked is the depth of calls through
search_binary_handler(), so that function should be exclusively responsible
for tracking the depth.
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 8d238027
......@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm)
return -ENOEXEC;
}
bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
......
......@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm)
if (!enabled)
goto _ret;
retval = -ENOEXEC;
if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
goto _ret;
/* to keep locking time low, we copy the interpreter string */
read_lock(&entries_lock);
fmt = check_file(bprm);
......@@ -197,8 +193,6 @@ static int load_misc_binary(struct linux_binprm *bprm)
if (retval < 0)
goto _error;
bprm->recursion_depth++;
retval = search_binary_handler(bprm);
if (retval < 0)
goto _error;
......
......@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm)
char interp[BINPRM_BUF_SIZE];
int retval;
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
(bprm->recursion_depth > BINPRM_MAX_RECURSION))
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
return -ENOEXEC;
/*
* This section does the #! interpretation.
* Sorta complicated, but hopefully it will work. -TYT
*/
bprm->recursion_depth++;
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;
......
......@@ -1356,6 +1356,10 @@ int search_binary_handler(struct linux_binprm *bprm)
struct linux_binfmt *fmt;
pid_t old_pid, old_vpid;
/* This allows 4 levels of binfmt rewrites before failing hard. */
if (depth > 5)
return -ELOOP;
retval = security_bprm_check(bprm);
if (retval)
return retval;
......@@ -1380,12 +1384,8 @@ int search_binary_handler(struct linux_binprm *bprm)
if (!try_module_get(fmt->module))
continue;
read_unlock(&binfmt_lock);
bprm->recursion_depth = depth + 1;
retval = fn(bprm);
/*
* Restore the depth counter to its starting value
* in this call, so we don't have to rely on every
* load_binary function to restore it on return.
*/
bprm->recursion_depth = depth;
if (retval >= 0) {
if (depth == 0) {
......
......@@ -54,8 +54,6 @@ struct linux_binprm {
#define BINPRM_FLAGS_EXECFD_BIT 1
#define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
#define BINPRM_MAX_RECURSION 4
/* Function parameter for binfmt->coredump */
struct coredump_params {
siginfo_t *siginfo;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment