From ba1b23d05259e31d30a78017cdfbc010dcb08aa6 Mon Sep 17 00:00:00 2001

From: Kees Cook <keescook@chromium.org>

Date: Mon, 26 Nov 2012 09:02:11 -0500

Subject: [PATCH 2/2] exec: use -ELOOP for max recursion depth

To avoid an explosion of request_module calls on a chain of abusive

scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon

as maximum recursion depth is hit, the error will fail all the way back

up the chain, aborting immediately.

This also has the side-effect of stopping the user's shell from attempting

to reexecute the top-level file as a shell script. As seen in the

dash source:

        if (cmd != path_bshell && errno == ENOEXEC) {

                *argv-- = cmd;

                *argv = cmd = path_bshell;

                goto repeat;

        }

The above logic was designed for running scripts automatically that lacked

the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC,

things continue to behave as the shell expects.

Additionally, when tracking recursion, the binfmt handlers should not be

involved. The recursion being tracked is the depth of calls through

search_binary_handler(), so that function should be exclusively responsible

for tracking the depth.

Signed-off-by: Kees Cook <keescook@chromium.org>

Cc: halfdog <me@halfdog.net>

Cc: P J P <ppandit@redhat.com>

Cc: Alexander Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

---

 fs/binfmt_em86.c        |  1 -

 fs/binfmt_misc.c        |  6 ------

 fs/binfmt_script.c      |  4 +---

 fs/exec.c               | 10 +++++-----

 include/linux/binfmts.h |  2 --

 5 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/fs/binfmt_em86.c b/fs/binfmt_em86.c

index 2790c7e..575796a 100644

--- a/fs/binfmt_em86.c

+++ b/fs/binfmt_em86.c

@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm *bprm,struct pt_regs *regs)

 			return -ENOEXEC;

 	}

-	bprm->recursion_depth++; /* Well, the bang-shell is implicit... */

 	allow_write_access(bprm->file);

 	fput(bprm->file);

 	bprm->file = NULL;

diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c

index 772428d..f0f1a06 100644

--- a/fs/binfmt_misc.c

+++ b/fs/binfmt_misc.c

@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)

 	if (!enabled)

 		goto _ret;

-	retval = -ENOEXEC;

-	if (bprm->recursion_depth > BINPRM_MAX_RECURSION)

-		goto _ret;

-

 	/* to keep locking time low, we copy the interpreter string */

 	read_lock(&entries_lock);

 	fmt = check_file(bprm);

@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux_binprm *bprm, struct pt_regs *regs)

 	if (retval < 0)

 		goto _error;

-	bprm->recursion_depth++;

-

 	retval = search_binary_handler (bprm, regs);

 	if (retval < 0)

 		goto _error;

diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c

index df49d48..8ae4be1 100644

--- a/fs/binfmt_script.c

+++ b/fs/binfmt_script.c

@@ -22,15 +22,13 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)

 	char interp[BINPRM_BUF_SIZE];

 	int retval;

-	if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') ||

-	    (bprm->recursion_depth > BINPRM_MAX_RECURSION))

+	if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))

 		return -ENOEXEC;

 	/*

 	 * This section does the #! interpretation.

 	 * Sorta complicated, but hopefully it will work.  -TYT

 	 */

-	bprm->recursion_depth++;

 	allow_write_access(bprm->file);

 	fput(bprm->file);

 	bprm->file = NULL;

diff --git a/fs/exec.c b/fs/exec.c

index c6e6de4..85c1f9e 100644

--- a/fs/exec.c

+++ b/fs/exec.c

@@ -1371,6 +1371,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)

 	struct linux_binfmt *fmt;

 	pid_t old_pid, old_vpid;

+	/* This allows 4 levels of binfmt rewrites before failing hard. */

+	if (depth > 5)

+		return -ELOOP;

+

 	retval = security_bprm_check(bprm);

 	if (retval)

 		return retval;

@@ -1395,12 +1399,8 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)

 			if (!try_module_get(fmt->module))

 				continue;

 			read_unlock(&binfmt_lock);

+			bprm->recursion_depth = depth + 1;

 			retval = fn(bprm, regs);

-			/*

-			 * Restore the depth counter to its starting value

-			 * in this call, so we don't have to rely on every

-			 * load_binary function to restore it on return.

-			 */

 			bprm->recursion_depth = depth;

 			if (retval >= 0) {

 				if (depth == 0) {

diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h

index de0628e..54135f6 100644

--- a/include/linux/binfmts.h

+++ b/include/linux/binfmts.h

@@ -54,8 +54,6 @@ struct linux_binprm {

 #define BINPRM_FLAGS_EXECFD_BIT 1

 #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)

-#define BINPRM_MAX_RECURSION 4

-

 /* Function parameter for binfmt->coredump */

 struct coredump_params {

 	siginfo_t *siginfo;

-- 

1.8.0