]>
Commit | Line | Data |
---|---|---|
a0f1e827 GKH |
1 | From b66c5984017533316fd1951770302649baf1aa33 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <keescook@chromium.org> | |
3 | Date: Thu, 20 Dec 2012 15:05:16 -0800 | |
4 | Subject: exec: do not leave bprm->interp on stack | |
5 | ||
6 | From: Kees Cook <keescook@chromium.org> | |
7 | ||
8 | commit b66c5984017533316fd1951770302649baf1aa33 upstream. | |
9 | ||
10 | If a series of scripts are executed, each triggering module loading via | |
11 | unprintable bytes in the script header, kernel stack contents can leak | |
12 | into the command line. | |
13 | ||
14 | Normally execution of binfmt_script and binfmt_misc happens recursively. | |
15 | However, when modules are enabled, and unprintable bytes exist in the | |
16 | bprm->buf, execution will restart after attempting to load matching | |
17 | binfmt modules. Unfortunately, the logic in binfmt_script and | |
18 | binfmt_misc does not expect to get restarted. They leave bprm->interp | |
19 | pointing to their local stack. This means on restart bprm->interp is | |
20 | left pointing into unused stack memory which can then be copied into the | |
21 | userspace argv areas. | |
22 | ||
23 | After additional study, it seems that both recursion and restart remains | |
24 | the desirable way to handle exec with scripts, misc, and modules. As | |
25 | such, we need to protect the changes to interp. | |
26 | ||
27 | This changes the logic to require allocation for any changes to the | |
28 | bprm->interp. To avoid adding a new kmalloc to every exec, the default | |
29 | value is left as-is. Only when passing through binfmt_script or | |
30 | binfmt_misc does an allocation take place. | |
31 | ||
32 | For a proof of concept, see DoTest.sh from: | |
33 | ||
34 | http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ | |
35 | ||
36 | Signed-off-by: Kees Cook <keescook@chromium.org> | |
37 | Cc: halfdog <me@halfdog.net> | |
38 | Cc: P J P <ppandit@redhat.com> | |
39 | Cc: Alexander Viro <viro@zeniv.linux.org.uk> | |
40 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
41 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
42 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
43 | ||
44 | --- | |
45 | fs/binfmt_misc.c | 5 ++++- | |
46 | fs/binfmt_script.c | 4 +++- | |
47 | fs/exec.c | 15 +++++++++++++++ | |
48 | include/linux/binfmts.h | 1 + | |
49 | 4 files changed, 23 insertions(+), 2 deletions(-) | |
50 | ||
51 | --- a/fs/binfmt_misc.c | |
52 | +++ b/fs/binfmt_misc.c | |
53 | @@ -176,7 +176,10 @@ static int load_misc_binary(struct linux | |
54 | goto _error; | |
55 | bprm->argc ++; | |
56 | ||
57 | - bprm->interp = iname; /* for binfmt_script */ | |
58 | + /* Update interp in case binfmt_script needs it. */ | |
59 | + retval = bprm_change_interp(iname, bprm); | |
60 | + if (retval < 0) | |
61 | + goto _error; | |
62 | ||
63 | interp_file = open_exec (iname); | |
64 | retval = PTR_ERR (interp_file); | |
65 | --- a/fs/binfmt_script.c | |
66 | +++ b/fs/binfmt_script.c | |
67 | @@ -82,7 +82,9 @@ static int load_script(struct linux_binp | |
68 | retval = copy_strings_kernel(1, &i_name, bprm); | |
69 | if (retval) return retval; | |
70 | bprm->argc++; | |
71 | - bprm->interp = interp; | |
72 | + retval = bprm_change_interp(interp, bprm); | |
73 | + if (retval < 0) | |
74 | + return retval; | |
75 | ||
76 | /* | |
77 | * OK, now restart the process with the interpreter's dentry. | |
78 | --- a/fs/exec.c | |
79 | +++ b/fs/exec.c | |
80 | @@ -1206,9 +1206,24 @@ void free_bprm(struct linux_binprm *bprm | |
81 | mutex_unlock(¤t->signal->cred_guard_mutex); | |
82 | abort_creds(bprm->cred); | |
83 | } | |
84 | + /* If a binfmt changed the interp, free it. */ | |
85 | + if (bprm->interp != bprm->filename) | |
86 | + kfree(bprm->interp); | |
87 | kfree(bprm); | |
88 | } | |
89 | ||
90 | +int bprm_change_interp(char *interp, struct linux_binprm *bprm) | |
91 | +{ | |
92 | + /* If a binfmt changed the interp, free it first. */ | |
93 | + if (bprm->interp != bprm->filename) | |
94 | + kfree(bprm->interp); | |
95 | + bprm->interp = kstrdup(interp, GFP_KERNEL); | |
96 | + if (!bprm->interp) | |
97 | + return -ENOMEM; | |
98 | + return 0; | |
99 | +} | |
100 | +EXPORT_SYMBOL(bprm_change_interp); | |
101 | + | |
102 | /* | |
103 | * install the new credentials for this executable | |
104 | */ | |
105 | --- a/include/linux/binfmts.h | |
106 | +++ b/include/linux/binfmts.h | |
107 | @@ -128,6 +128,7 @@ extern int setup_arg_pages(struct linux_ | |
108 | unsigned long stack_top, | |
109 | int executable_stack); | |
110 | extern int bprm_mm_init(struct linux_binprm *bprm); | |
111 | +extern int bprm_change_interp(char *interp, struct linux_binprm *bprm); | |
112 | extern int copy_strings_kernel(int argc, const char *const *argv, | |
113 | struct linux_binprm *bprm); | |
114 | extern int prepare_bprm_creds(struct linux_binprm *bprm); |