summaryrefslogtreecommitdiff
path: root/fs/binfmt_script.c
diff options
context:
space:
mode:
authorPavel Emelyanov <xemul@openvz.org>2008-04-29 11:59:24 +0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-04-29 19:06:04 +0400
commit3a2e7f47d71e1df86acc1dda6826890b6546a4e1 (patch)
tree3c5856f67af25a80a4d934e754f437936c7b1bbf /fs/binfmt_script.c
parentcbd9b67bd3883dff0ef4b8ec9229d315a9ba38f0 (diff)
downloadlinux-3a2e7f47d71e1df86acc1dda6826890b6546a4e1.tar.xz
binfmt_misc.c: avoid potential kernel stack overflow
This can be triggered with root help only, but... Register the ":text:E::txt::/root/cat.txt:' rule in binfmt_misc (by root) and try launching the cat.txt file (by anyone) :) The result is - the endless recursion in the load_misc_binary -> open_exec -> load_misc_binary chain and stack overflow. There's a similar problem with binfmt_script, and there's a sh_bang memner on linux_binprm structure to handle this, but simply raising this in binfmt_misc may break some setups when the interpreter of some misc binaries is a script. So the proposal is to turn sh_bang into a bit, add a new one (the misc_bang) and raise it in load_misc_binary. After this, even if we set up the misc -> script -> misc loop for binfmts one of them will step on its own bang and exit. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/binfmt_script.c')
-rw-r--r--fs/binfmt_script.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index ab33939b12a7..9e3963f7ebf1 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -29,7 +29,7 @@ static int load_script(struct linux_binprm *bprm,struct pt_regs *regs)
* Sorta complicated, but hopefully it will work. -TYT
*/
- bprm->sh_bang++;
+ bprm->sh_bang = 1;
allow_write_access(bprm->file);
fput(bprm->file);
bprm->file = NULL;