kernel/exec-use-eloop-for-max-recursion-depth.patch

From ba1b23d05259e31d30a78017cdfbc010dcb08aa6 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Mon, 26 Nov 2012 09:02:11 -0500
Subject: [PATCH 2/2] exec: use -ELOOP for max recursion depth

To avoid an explosion of request_module calls on a chain of abusive
scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon
as maximum recursion depth is hit, the error will fail all the way back
up the chain, aborting immediately.

This also has the side-effect of stopping the user's shell from attempting
to reexecute the top-level file as a shell script. As seen in the
dash source:

        if (cmd != path_bshell && errno == ENOEXEC) {
                *argv-- = cmd;
                *argv = cmd = path_bshell;
                goto repeat;
        }

The above logic was designed for running scripts automatically that lacked
the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,
things continue to behave as the shell expects.

Additionally, when tracking recursion, the binfmt handlers should not be
involved. The recursion being tracked is the depth of calls through
search_binary_handler(), so that function should be exclusively responsible
for tracking the depth.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
 fs/binfmt_em86.c        |  1 -
 fs/binfmt_misc.c        |  6 ------
 fs/binfmt_script.c      |  4 +---
 fs/exec.c               | 10 +++++-----
 include/linux/binfmts.h |  2 --
 5 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c
index 2790c7e..575796a 100644
--- a/fs/binfmt_em86.c
+++ b/fs/binfmt_em86.c
@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs)
 			return -ENOEXEC;
 	}
 
-	bprm->recursion_depth++; /* Well, the bang-shell is implicit... */
 	allow_write_access(bprm->file);
 	fput(bprm->file);
 	bprm->file = NULL;
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index 772428d..f0f1a06 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)
 	if (!enabled)
 		goto _ret;
 
-	retval = -ENOEXEC;
-	if (bprm->recursion_depth > BINPRM_MAX_RECURSION)
-		goto _ret;
-
 	/* to keep locking time low, we copy the interpreter string */
 	read_lock(&entries_lock);
 	fmt = check_file(bprm);
@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)
 	if (retval < 0)
 		goto _error;
 
-	bprm->recursion_depth++;
-
 	retval = search_binary_handler (bprm, regs);
 	if (retval < 0)
 		goto _error;
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index df49d48..8ae4be1 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
 	char interp[BINPRM_BUF_SIZE];
 	int retval;
 
-	if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||
-	    (bprm->recursion_depth > BINPRM_MAX_RECURSION))
+	if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
 		return -ENOEXEC;
 	/*
 	 * This section does the #! interpretation.
 	 * Sorta complicated, but hopefully it will work.  -TYT
 	 */
 
-	bprm->recursion_depth++;
 	allow_write_access(bprm->file);
 	fput(bprm->file);
 	bprm->file = NULL;
diff --git a/fs/exec.c b/fs/exec.c
index c6e6de4..85c1f9e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1371,6 +1371,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
 	struct linux_binfmt *fmt;
 	pid_t old_pid, old_vpid;
 
+	/* This allows 4 levels of binfmt rewrites before failing hard. */
+	if (depth > 5)
+		return -ELOOP;
+
 	retval = security_bprm_check(bprm);
 	if (retval)
 		return retval;
@@ -1395,12 +1399,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
 			if (!try_module_get(fmt->module))
 				continue;
 			read_unlock(&binfmt_lock);
+			bprm->recursion_depth = depth + 1;
 			retval = fn(bprm, regs);
-			/*
-			 * Restore the depth counter to its starting value
-			 * in this call, so we don't have to rely on every
-			 * load_binary function to restore it on return.
-			 */
 			bprm->recursion_depth = depth;
 			if (retval >= 0) {
 				if (depth == 0) {
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index de0628e..54135f6 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -54,8 +54,6 @@ struct linux_binprm {
 #define BINPRM_FLAGS_EXECFD_BIT 1
 #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
 
-#define BINPRM_MAX_RECURSION 4
-
 /* Function parameter for binfmt->coredump */
 struct coredump_params {
 	siginfo_t *siginfo;
-- 
1.8.0
CVE-2012-4530: stack disclosure binfmt_script load_script (rhbz 868285 880147) 2012-11-26 14:03:26 +00:00			`From ba1b23d05259e31d30a78017cdfbc010dcb08aa6 Mon Sep 17 00:00:00 2001`
			`From: Kees Cook <keescook@chromium.org>`
			`Date: Mon, 26 Nov 2012 09:02:11 -0500`
			`Subject: [PATCH 2/2] exec: use -ELOOP for max recursion depth`

			`To avoid an explosion of request_module calls on a chain of abusive`
			`scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon`
			`as maximum recursion depth is hit, the error will fail all the way back`
			`up the chain, aborting immediately.`

			`This also has the side-effect of stopping the user's shell from attempting`
			`to reexecute the top-level file as a shell script. As seen in the`
			`dash source:`

			`if (cmd != path_bshell && errno == ENOEXEC) {`
			`*argv-- = cmd;`
			`*argv = cmd = path_bshell;`
			`goto repeat;`
			`}`

			`The above logic was designed for running scripts automatically that lacked`
			`the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,`
			`things continue to behave as the shell expects.`

			`Additionally, when tracking recursion, the binfmt handlers should not be`
			`involved. The recursion being tracked is the depth of calls through`
			`search_binary_handler(), so that function should be exclusively responsible`
			`for tracking the depth.`

			`Signed-off-by: Kees Cook <keescook@chromium.org>`
			`Cc: halfdog <me@halfdog.net>`
			`Cc: P J P <ppandit@redhat.com>`
			`Cc: Alexander Viro <viro@zeniv.linux.org.uk>`
			`Signed-off-by: Andrew Morton <akpm@linux-foundation.org>`
			`---`
			`fs/binfmt_em86.c \| 1 -`
			`fs/binfmt_misc.c \| 6 ------`
			`fs/binfmt_script.c \| 4 +---`
			`fs/exec.c \| 10 +++++-----`
			`include/linux/binfmts.h \| 2 --`
			`5 files changed, 6 insertions(+), 17 deletions(-)`

			`diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c`
			`index 2790c7e..575796a 100644`
			`--- a/fs/binfmt_em86.c`
			`+++ b/fs/binfmt_em86.c`
			`@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm bprm,struct pt_regs regs)`
			`return -ENOEXEC;`
			`}`

			`- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */`
			`allow_write_access(bprm->file);`
			`fput(bprm->file);`
			`bprm->file = NULL;`
			`diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c`
			`index 772428d..f0f1a06 100644`
			`--- a/fs/binfmt_misc.c`
			`+++ b/fs/binfmt_misc.c`
			`@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm bprm, struct pt_regs regs)`
			`if (!enabled)`
			`goto _ret;`

			`- retval = -ENOEXEC;`
			`- if (bprm->recursion_depth > BINPRM_MAX_RECURSION)`
			`- goto _ret;`
			`-`
			`/* to keep locking time low, we copy the interpreter string */`
			`read_lock(&entries_lock);`
			`fmt = check_file(bprm);`
			`@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm bprm, struct pt_regs regs)`
			`if (retval < 0)`
			`goto _error;`

			`- bprm->recursion_depth++;`
			`-`
			`retval = search_binary_handler (bprm, regs);`
			`if (retval < 0)`
			`goto _error;`
			`diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c`
			`index df49d48..8ae4be1 100644`
			`--- a/fs/binfmt_script.c`
			`+++ b/fs/binfmt_script.c`
			`@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm bprm,struct pt_regs regs)`
			`char interp[BINPRM_BUF_SIZE];`
			`int retval;`

			`- if ((bprm->buf[0] != '#') \|\| (bprm->buf[1] != '!') \|\|`
			`- (bprm->recursion_depth > BINPRM_MAX_RECURSION))`
			`+ if ((bprm->buf[0] != '#') \|\| (bprm->buf[1] != '!'))`
			`return -ENOEXEC;`
			`/*`
			`* This section does the #! interpretation.`
			`* Sorta complicated, but hopefully it will work. -TYT`
			`*/`

			`- bprm->recursion_depth++;`
			`allow_write_access(bprm->file);`
			`fput(bprm->file);`
			`bprm->file = NULL;`
			`diff --git a/fs/exec.c b/fs/exec.c`
			`index c6e6de4..85c1f9e 100644`
			`--- a/fs/exec.c`
			`+++ b/fs/exec.c`
			`@@ -1371,6 +1371,10 @@ int search_binary_handler(struct linux_binprm bprm,struct pt_regs regs)`
			`struct linux_binfmt *fmt;`
			`pid_t old_pid, old_vpid;`

			`+ /* This allows 4 levels of binfmt rewrites before failing hard. */`
			`+ if (depth > 5)`
			`+ return -ELOOP;`
			`+`
			`retval = security_bprm_check(bprm);`
			`if (retval)`
			`return retval;`
			`@@ -1395,12 +1399,8 @@ int search_binary_handler(struct linux_binprm bprm,struct pt_regs regs)`
			`if (!try_module_get(fmt->module))`
			`continue;`
			`read_unlock(&binfmt_lock);`
			`+ bprm->recursion_depth = depth + 1;`
			`retval = fn(bprm, regs);`
			`- /*`
			`- * Restore the depth counter to its starting value`
			`- * in this call, so we don't have to rely on every`
			`- * load_binary function to restore it on return.`
			`- */`
			`bprm->recursion_depth = depth;`
			`if (retval >= 0) {`
			`if (depth == 0) {`
			`diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h`
			`index de0628e..54135f6 100644`
			`--- a/include/linux/binfmts.h`
			`+++ b/include/linux/binfmts.h`
			`@@ -54,8 +54,6 @@ struct linux_binprm {`
			`#define BINPRM_FLAGS_EXECFD_BIT 1`
			`#define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)`

			`-#define BINPRM_MAX_RECURSION 4`
			`-`
			`/* Function parameter for binfmt->coredump */`
			`struct coredump_params {`
			`siginfo_t *siginfo;`
			`--`
			`1.8.0`