Red Hat Bugzilla – Bug 459466
kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-4.8]
Last modified: 2011-02-16 11:03:15 EST
+++ This bug was initially created as a clone of Bug #459462 +++
Description of problem:
Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and try launching the cat.txt file (by anyone) :) The result is - the endless recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and stack overflow.
There's a similar problem with binfmt_script, and there's a sh_bang memner on linux_binprm structure to handle this, but simply raising this in binfmt_misc may break some setups when the interpreter of some misc binaries is a script.
So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) and raise it in load_misc_binary. After this, even if we set up the misc -> script -> misc loop for binfmts one of them will step on its own bang and exit.
Note that this can be triggered with root help only.
--- Additional comment from email@example.com on 2008-08-19 03:17:02 EDT ---
Proposed upstream patch:
--- Additional comment from firstname.lastname@example.org on 2008-08-19 03:17:35 EDT ---
(In reply to comment #1)
> Proposed upstream patch:
Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The patch is not in upstream yet AFAIK.
Steps to Reproduce:
1. as root user, run echo ":text:E::txt::/cat.txt:" >
/proc/sys/fs/binfmt_misc/register; touch /cat.txt; chmod +x /cat.txt
2) as normal user, run /cat.txt
(In reply to comment #2)
> (In reply to comment #1)
> > Proposed upstream patch:
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1
> Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The
> patch is not in upstream yet AFAIK.
This is ff9bc512f198eb47204f55b24c6fe3d36ed89592
Updating PM score.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Committed in 89.43.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
confirmed this bug is fixed on the -94.EL kernel.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.