Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 3 product line. The current stable release is 3.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 459468

Summary: kernel: binfmt_misc.c: avoid potential kernel stack overflow [rhel-3.9]
Product: Red Hat Enterprise Linux 3 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED WONTFIX QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.9CC: dhoward, lwang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-20 16:19:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 459462    
Bug Blocks:    

Description Eugene Teo (Security Response) 2008-08-19 07:38:52 UTC 
+++ This bug was initially created as a clone of Bug #459462 +++

Description of problem:
Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and try launching the cat.txt file (by anyone) :) The result is - the endless recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and stack overflow.

There's a similar problem with binfmt_script, and there's a sh_bang memner on linux_binprm structure to handle this, but simply raising this in binfmt_misc may break some setups when the interpreter of some misc binaries is a script.

So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) and raise it in load_misc_binary.  After this, even if we set up the misc -> script -> misc loop for binfmts one of them will step on its own bang and exit.

Note that this can be triggered with root help only.

http://lkml.org/lkml/2008/3/13/245

--- Additional comment from eteo on 2008-08-19 03:17:02 EDT ---

Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1

--- Additional comment from eteo on 2008-08-19 03:17:35 EDT ---

(In reply to comment #1)
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3a2e7f47d71e1df86acc1dda6826890b6546a4e1

Note that there is a regression. See http://lkml.org/lkml/2008/8/18/544. The patch is not in upstream yet AFAIK.
Comment 1 Eugene Teo (Security Response) 2008-08-19 07:50:16 UTC 
Steps to Reproduce:
1. as root user, run echo ":text:E::txt::/cat.txt:" >
/proc/sys/fs/binfmt_misc/register; touch /cat.txt; chmod +x /cat.txt
2) as normal user, run /cat.txt
Comment 3 Don Howard 2008-08-20 16:19:56 UTC 
I can confirm that this reproducible on rhel3.

However, it doesn't rise to the level of critical bugfix, given that root-owned files must be mis-configured.