Description of problem: Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and try launching the cat.txt file (by anyone) :) The result is - the endless recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and stack overflow. There's a similar problem with binfmt_script, and there's a sh_bang memner on linux_binprm structure to handle this, but simply raising this in binfmt_misc may break some setups when the interpreter of some misc binaries is a script. So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) and raise it in load_misc_binary. After this, even if we set up the misc -> script -> misc loop for binfmts one of them will step on its own bang and exit. Note that this can be triggered with root help only. http://lkml.org/lkml/2008/3/13/245
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1
(In reply to comment #1) > Proposed upstream patch: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1 Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The patch is not in upstream yet AFAIK.
Steps to Reproduce: 1. as root user, run echo ":text:E::txt::/cat.txt:" > /proc/sys/fs/binfmt_misc/register; touch /cat.txt; chmod +x /cat.txt 2) as normal user, run /cat.txt
(In reply to comment #2) > (In reply to comment #1) > > Proposed upstream patch: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1 > > Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The > patch is not in upstream yet AFAIK. This is ff9bc512f198eb47204f55b24c6fe3d36ed89592
Added the commits below to the patch queue of -78 (MRG): 3a2e7f47d71e1df86acc1dda6826890b6546a4e1 ff9bc512f198eb47204f55b24c6fe3d36ed89592
Verified. Reproducing on 2.6.24.7-74rt causes hang, while 2.6.24.7-81rt behaves properly. Upstream commit 3a2e7f47d71e1df86acc1dda6826890b6546a4e1 found as mrg-rt.git commit eccddc7dc8f3b0ff2cbc52acf17e4984e8f646e2 Upstream commit ff9bc512f198eb47204f55b24c6fe3d36ed89592 found as mrg-rt.git commit f43e371df762e53413e7a87d6b686ff66982e3ae. Both commits found in mrg-rt-2.6.24.7-81.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2008-0857.html