Bug 459462

Summary: kernel: binfmt_misc.c: avoid potential kernel stack overflow [mrg-1]
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: Red Hat Real Time Maintenance <rt-maint>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1.1CC: bhu, davids, lgoncalv, williams
Target Milestone: 1.0.3   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-07 19:21:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 459463, 459464, 459466, 459467, 459468, 459470, 459471    

Description Eugene Teo (Security Response) 2008-08-19 07:11:45 UTC 
Description of problem:
Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and try launching the cat.txt file (by anyone) :) The result is - the endless recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and stack overflow.

There's a similar problem with binfmt_script, and there's a sh_bang memner on linux_binprm structure to handle this, but simply raising this in binfmt_misc may break some setups when the interpreter of some misc binaries is a script.

So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) and raise it in load_misc_binary.  After this, even if we set up the misc -> script -> misc loop for binfmts one of them will step on its own bang and exit.

Note that this can be triggered with root help only.

http://lkml.org/lkml/2008/3/13/245
Comment 1 Eugene Teo (Security Response) 2008-08-19 07:17:02 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1
Comment 2 Eugene Teo (Security Response) 2008-08-19 07:17:35 UTC 
(In reply to comment #1)
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1

Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The patch is not in upstream yet AFAIK.
Comment 3 Eugene Teo (Security Response) 2008-08-19 07:46:16 UTC 
Steps to Reproduce:
1. as root user, run echo ":text:E::txt::/cat.txt:" > /proc/sys/fs/binfmt_misc/register; touch /cat.txt; chmod +x /cat.txt
2) as normal user, run /cat.txt
Comment 4 Eugene Teo (Security Response) 2008-08-21 02:38:34 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Proposed upstream patch:
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1
> 
> Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The
> patch is not in upstream yet AFAIK.

This is ff9bc512f198eb47204f55b24c6fe3d36ed89592
Comment 5 Luis Claudio R. Goncalves 2008-08-21 19:03:27 UTC 
Added the commits below to the patch queue of -78 (MRG):

3a2e7f47d71e1df86acc1dda6826890b6546a4e1
ff9bc512f198eb47204f55b24c6fe3d36ed89592
Comment 7 David Sommerseth 2008-09-30 17:29:14 UTC 
Verified.  Reproducing on 2.6.24.7-74rt causes hang, while 2.6.24.7-81rt behaves properly.

Upstream commit 3a2e7f47d71e1df86acc1dda6826890b6546a4e1 found as mrg-rt.git commit eccddc7dc8f3b0ff2cbc52acf17e4984e8f646e2

Upstream commit ff9bc512f198eb47204f55b24c6fe3d36ed89592 found as mrg-rt.git commit f43e371df762e53413e7a87d6b686ff66982e3ae.

Both commits found in mrg-rt-2.6.24.7-81.
Comment 9 errata-xmlrpc 2008-10-07 19:21:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0857.html