mirror of
https://github.com/torvalds/linux.git
synced 2024-11-17 01:22:07 +00:00
bc2bf338d5
Recursion in kernel code is generally a bad idea as it can overflow the kernel stack. Recursion in exec also hides that the code is looping and that the loop changes bprm->file. Instead of recursing in search_binary_handler have the methods that would recurse set bprm->interpreter and return 0. Modify exec_binprm to loop when bprm->interpreter is set. Consolidate all of the reassignments of bprm->file in that loop to make it clear what is going on. The structure of the new loop in exec_binprm is that all errors return immediately, while successful completion (ret == 0 && !bprm->interpreter) just breaks out of the loop and runs what exec_bprm has always run upon successful completion. Fail if the an interpreter is being call after execfd has been set. The code has never properly handled an interpreter being called with execfd being set and with reassignments of bprm->file and the assignment of bprm->executable in generic code it has finally become possible to test and fail when if this problematic condition happens. With the reassignments of bprm->file and the assignment of bprm->executable moved into the generic code add a test to see if bprm->executable is being reassigned. In search_binary_handler remove the test for !bprm->file. With all reassignments of bprm->file moved to exec_binprm bprm->file can never be NULL in search_binary_handler. Link: https://lkml.kernel.org/r/87sgfwyd84.fsf_-_@x220.int.ebiederm.org Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
111 lines
2.7 KiB
C
111 lines
2.7 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* linux/fs/binfmt_em86.c
|
|
*
|
|
* Based on linux/fs/binfmt_script.c
|
|
* Copyright (C) 1996 Martin von Löwis
|
|
* original #!-checking implemented by tytso.
|
|
*
|
|
* em86 changes Copyright (C) 1997 Jim Paradis
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/string.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/binfmts.h>
|
|
#include <linux/elf.h>
|
|
#include <linux/init.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/file.h>
|
|
#include <linux/errno.h>
|
|
|
|
|
|
#define EM86_INTERP "/usr/bin/em86"
|
|
#define EM86_I_NAME "em86"
|
|
|
|
static int load_em86(struct linux_binprm *bprm)
|
|
{
|
|
const char *i_name, *i_arg;
|
|
char *interp;
|
|
struct file * file;
|
|
int retval;
|
|
struct elfhdr elf_ex;
|
|
|
|
/* Make sure this is a Linux/Intel ELF executable... */
|
|
elf_ex = *((struct elfhdr *)bprm->buf);
|
|
|
|
if (memcmp(elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
|
|
return -ENOEXEC;
|
|
|
|
/* First of all, some simple consistency checks */
|
|
if ((elf_ex.e_type != ET_EXEC && elf_ex.e_type != ET_DYN) ||
|
|
(!((elf_ex.e_machine == EM_386) || (elf_ex.e_machine == EM_486))) ||
|
|
!bprm->file->f_op->mmap) {
|
|
return -ENOEXEC;
|
|
}
|
|
|
|
/* Need to be able to load the file after exec */
|
|
if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)
|
|
return -ENOENT;
|
|
|
|
/* Unlike in the script case, we don't have to do any hairy
|
|
* parsing to find our interpreter... it's hardcoded!
|
|
*/
|
|
interp = EM86_INTERP;
|
|
i_name = EM86_I_NAME;
|
|
i_arg = NULL; /* We reserve the right to add an arg later */
|
|
|
|
/*
|
|
* Splice in (1) the interpreter's name for argv[0]
|
|
* (2) (optional) argument to interpreter
|
|
* (3) filename of emulated file (replace argv[0])
|
|
*
|
|
* This is done in reverse order, because of how the
|
|
* user environment and arguments are stored.
|
|
*/
|
|
remove_arg_zero(bprm);
|
|
retval = copy_strings_kernel(1, &bprm->filename, bprm);
|
|
if (retval < 0) return retval;
|
|
bprm->argc++;
|
|
if (i_arg) {
|
|
retval = copy_strings_kernel(1, &i_arg, bprm);
|
|
if (retval < 0) return retval;
|
|
bprm->argc++;
|
|
}
|
|
retval = copy_strings_kernel(1, &i_name, bprm);
|
|
if (retval < 0) return retval;
|
|
bprm->argc++;
|
|
|
|
/*
|
|
* OK, now restart the process with the interpreter's inode.
|
|
* Note that we use open_exec() as the name is now in kernel
|
|
* space, and we don't need to copy it.
|
|
*/
|
|
file = open_exec(interp);
|
|
if (IS_ERR(file))
|
|
return PTR_ERR(file);
|
|
|
|
bprm->interpreter = file;
|
|
return 0;
|
|
}
|
|
|
|
static struct linux_binfmt em86_format = {
|
|
.module = THIS_MODULE,
|
|
.load_binary = load_em86,
|
|
};
|
|
|
|
static int __init init_em86_binfmt(void)
|
|
{
|
|
register_binfmt(&em86_format);
|
|
return 0;
|
|
}
|
|
|
|
static void __exit exit_em86_binfmt(void)
|
|
{
|
|
unregister_binfmt(&em86_format);
|
|
}
|
|
|
|
core_initcall(init_em86_binfmt);
|
|
module_exit(exit_em86_binfmt);
|
|
MODULE_LICENSE("GPL");
|