[thirdparty/kernel/stable-queue.git] / releases / 3.4.25 / exec-do-not-leave-bprm-interp-on-stack.patch

From b66c5984017533316fd1951770302649baf1aa33 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Thu, 20 Dec 2012 15:05:16 -0800
Subject: exec: do not leave bprm->interp on stack

From: Kees Cook <keescook@chromium.org>

commit b66c5984017533316fd1951770302649baf1aa33 upstream.

If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.

Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm->buf, execution will restart after attempting to load matching
binfmt modules.  Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted.  They leave bprm->interp
pointing to their local stack.  This means on restart bprm->interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.

After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules.  As
such, we need to protect the changes to interp.

This changes the logic to require allocation for any changes to the
bprm->interp.  To avoid adding a new kmalloc to every exec, the default
value is left as-is.  Only when passing through binfmt_script or
binfmt_misc does an allocation take place.

For a proof of concept, see DoTest.sh from:

   http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/binfmt_misc.c        |    5 ++++-
 fs/binfmt_script.c      |    4 +++-
 fs/exec.c               |   15 +++++++++++++++
 include/linux/binfmts.h |    1 +
 4 files changed, 23 insertions(+), 2 deletions(-)

--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux
 		goto _error;
 	bprm->argc ++;
 
-	bprm->interp = iname;	/* for binfmt_script */
+	/* Update interp in case binfmt_script needs it. */
+	retval = bprm_change_interp(iname, bprm);
+	if (retval < 0)
+		goto _error;
 
 	interp_file = open_exec (iname);
 	retval = PTR_ERR (interp_file);
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -82,7 +82,9 @@ static int load_script(struct linux_binp
 	retval = copy_strings_kernel(1, &i_name, bprm);
 	if (retval) return retval; 
 	bprm->argc++;
-	bprm->interp = interp;
+	retval = bprm_change_interp(interp, bprm);
+	if (retval < 0)
+		return retval;
 
 	/*
 	 * OK, now restart the process with the interpreter's dentry.
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1206,9 +1206,24 @@ void free_bprm(struct linux_binprm *bprm
 		mutex_unlock(&current->signal->cred_guard_mutex);
 		abort_creds(bprm->cred);
 	}
+	/* If a binfmt changed the interp, free it. */
+	if (bprm->interp != bprm->filename)
+		kfree(bprm->interp);
 	kfree(bprm);
 }
 
+int bprm_change_interp(char *interp, struct linux_binprm *bprm)
+{
+	/* If a binfmt changed the interp, free it first. */
+	if (bprm->interp != bprm->filename)
+		kfree(bprm->interp);
+	bprm->interp = kstrdup(interp, GFP_KERNEL);
+	if (!bprm->interp)
+		return -ENOMEM;
+	return 0;
+}
+EXPORT_SYMBOL(bprm_change_interp);
+
 /*
  * install the new credentials for this executable
  */
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -128,6 +128,7 @@ extern int setup_arg_pages(struct linux_
 			   unsigned long stack_top,
 			   int executable_stack);
 extern int bprm_mm_init(struct linux_binprm *bprm);
+extern int bprm_change_interp(char *interp, struct linux_binprm *bprm);
 extern int copy_strings_kernel(int argc, const char *const *argv,
 			       struct linux_binprm *bprm);
 extern int prepare_bprm_creds(struct linux_binprm *bprm);
Commit	Line	Data
a0f1e827 GKH	1	From b66c5984017533316fd1951770302649baf1aa33 Mon Sep 17 00:00:00 2001
	2	From: Kees Cook <keescook@chromium.org>
	3	Date: Thu, 20 Dec 2012 15:05:16 -0800
	4	Subject: exec: do not leave bprm->interp on stack
	5
	6	From: Kees Cook <keescook@chromium.org>
	7
	8	commit b66c5984017533316fd1951770302649baf1aa33 upstream.
	9
	10	If a series of scripts are executed, each triggering module loading via
	11	unprintable bytes in the script header, kernel stack contents can leak
	12	into the command line.
	13
	14	Normally execution of binfmt_script and binfmt_misc happens recursively.
	15	However, when modules are enabled, and unprintable bytes exist in the
	16	bprm->buf, execution will restart after attempting to load matching
	17	binfmt modules. Unfortunately, the logic in binfmt_script and
	18	binfmt_misc does not expect to get restarted. They leave bprm->interp
	19	pointing to their local stack. This means on restart bprm->interp is
	20	left pointing into unused stack memory which can then be copied into the
	21	userspace argv areas.
	22
	23	After additional study, it seems that both recursion and restart remains
	24	the desirable way to handle exec with scripts, misc, and modules. As
	25	such, we need to protect the changes to interp.
	26
	27	This changes the logic to require allocation for any changes to the
	28	bprm->interp. To avoid adding a new kmalloc to every exec, the default
	29	value is left as-is. Only when passing through binfmt_script or
	30	binfmt_misc does an allocation take place.
	31
	32	For a proof of concept, see DoTest.sh from:
	33
	34	http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
	35
	36	Signed-off-by: Kees Cook <keescook@chromium.org>
	37	Cc: halfdog <me@halfdog.net>
	38	Cc: P J P <ppandit@redhat.com>
	39	Cc: Alexander Viro <viro@zeniv.linux.org.uk>
	40	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	41	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	42	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	43
	44	---
	45	fs/binfmt_misc.c \| 5 ++++-
	46	fs/binfmt_script.c \| 4 +++-
	47	fs/exec.c \| 15 +++++++++++++++
	48	include/linux/binfmts.h \| 1 +
	49	4 files changed, 23 insertions(+), 2 deletions(-)
	50
	51	--- a/fs/binfmt_misc.c
	52	+++ b/fs/binfmt_misc.c
	53	@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux
	54	goto _error;
	55	bprm->argc ++;
	56
	57	- bprm->interp = iname; /* for binfmt_script */
	58	+ /* Update interp in case binfmt_script needs it. */
	59	+ retval = bprm_change_interp(iname, bprm);
	60	+ if (retval < 0)
	61	+ goto _error;
	62
	63	interp_file = open_exec (iname);
	64	retval = PTR_ERR (interp_file);
65	--- a/fs/binfmt_script.c
66	+++ b/fs/binfmt_script.c
67	@@ -82,7 +82,9 @@ static int load_script(struct linux_binp
68	retval = copy_strings_kernel(1, &i_name, bprm);
69	if (retval) return retval;
70	bprm->argc++;
71	- bprm->interp = interp;
72	+ retval = bprm_change_interp(interp, bprm);
73	+ if (retval < 0)
74	+ return retval;
75
76	/*
77	* OK, now restart the process with the interpreter's dentry.
78	--- a/fs/exec.c
79	+++ b/fs/exec.c
80	@@ -1206,9 +1206,24 @@ void free_bprm(struct linux_binprm *bprm
81	mutex_unlock(&current->signal->cred_guard_mutex);
82	abort_creds(bprm->cred);
83	}
84	+ /* If a binfmt changed the interp, free it. */
85	+ if (bprm->interp != bprm->filename)
86	+ kfree(bprm->interp);
87	kfree(bprm);
88	}
89
90	+int bprm_change_interp(char interp, struct linux_binprm bprm)
91	+{
92	+ /* If a binfmt changed the interp, free it first. */
93	+ if (bprm->interp != bprm->filename)
94	+ kfree(bprm->interp);
95	+ bprm->interp = kstrdup(interp, GFP_KERNEL);
96	+ if (!bprm->interp)
97	+ return -ENOMEM;
98	+ return 0;
99	+}
100	+EXPORT_SYMBOL(bprm_change_interp);
101	+
102	/*
103	* install the new credentials for this executable
104	*/
105	--- a/include/linux/binfmts.h
106	+++ b/include/linux/binfmts.h
107	@@ -128,6 +128,7 @@ extern int setup_arg_pages(struct linux_
108	unsigned long stack_top,
109	int executable_stack);
110	extern int bprm_mm_init(struct linux_binprm *bprm);
111	+extern int bprm_change_interp(char interp, struct linux_binprm bprm);
112	extern int copy_strings_kernel(int argc, const char const argv,
113	struct linux_binprm *bprm);
114	extern int prepare_bprm_creds(struct linux_binprm *bprm);