Bug 459464 - kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-5.2.z]
Summary: kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-5.2.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.2.z
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Jiri Pirko
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On: 459462
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-19 07:29 UTC by Eugene Teo (Security Response)
Modified: 2015-05-05 01:15 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-04 10:29:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0957 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-11-12 09:34:44 UTC

Description Eugene Teo (Security Response) 2008-08-19 07:29:24 UTC 
+++ This bug was initially created as a clone of Bug #459462 +++

Description of problem:
Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and try launching the cat.txt file (by anyone) :) The result is - the endless recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and stack overflow.

There's a similar problem with binfmt_script, and there's a sh_bang memner on linux_binprm structure to handle this, but simply raising this in binfmt_misc may break some setups when the interpreter of some misc binaries is a script.

So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) and raise it in load_misc_binary.  After this, even if we set up the misc -> script -> misc loop for binfmts one of them will step on its own bang and exit.

Note that this can be triggered with root help only.

http://lkml.org/lkml/2008/3/13/245

--- Additional comment from eteo on 2008-08-19 03:17:02 EDT ---

Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1

--- Additional comment from eteo on 2008-08-19 03:17:35 EDT ---

(In reply to comment #1)
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1

Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The patch is not in upstream yet AFAIK.
Comment 1 Eugene Teo (Security Response) 2008-08-19 07:49:31 UTC 
Steps to Reproduce:
1. as root user, run echo ":text:E::txt::/cat.txt:" >
/proc/sys/fs/binfmt_misc/register; touch /cat.txt; chmod +x /cat.txt
2) as normal user, run /cat.txt
Comment 2 Eugene Teo (Security Response) 2008-08-21 02:39:23 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Proposed upstream patch:
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1
> 
> Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The
> patch is not in upstream yet AFAIK.

This is ff9bc512f198eb47204f55b24c6fe3d36ed89592
Comment 3 Jiri Pirko 2008-10-13 13:52:45 UTC 
in kernel-2.6.18-92.1.15.el5

you can download RPMs from http://people.redhat.com/jpirko/.el52z/92.1.15/
Comment 7 errata-xmlrpc 2008-11-04 10:29:34 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0957.html
Note You need to log in before you can comment on or make changes to this bug.