• Thadeu Lima de Souza Cascardo's avatar
    fs/binfmt_misc.c: do not allow offset overflow · 5cc41e09
    Thadeu Lima de Souza Cascardo authored
    WHen registering a new binfmt_misc handler, it is possible to overflow
    the offset to get a negative value, which might crash the system, or
    possibly leak kernel data.
    
    Here is a crash log when 2500000000 was used as an offset:
    
      BUG: unable to handle kernel paging request at ffff989cfd6edca0
      IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
      PGD 1ef3e067 P4D 1ef3e067 PUD 0
      Oops: 0000 [#1] SMP NOPTI
      Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
      CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
      RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
      Call Trace:
        search_binary_handler+0x97/0x1d0
        do_execveat_common.isra.34+0x667/0x810
        SyS_execve+0x31/0x40
        do_syscall_64+0x73/0x130
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    
    Use kstrtoint instead of simple_strtoul.  It will work as the code
    already set the delimiter byte to '\0' and we only do it when the field
    is not empty.
    
    Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX.  Also tested
    with examples documented at Documentation/admin-guide/binfmt-misc.rst
    and other registrations from packages on Ubuntu.
    
    Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
    Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    5cc41e09
Name
Last commit
Last update
Documentation Loading commit data...
LICENSES Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.clang-format Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...