diff options
author | Roland McGrath <roland@redhat.com> | 2008-12-09 22:36:38 -0500 |
---|---|---|
committer | Roland McGrath <roland@redhat.com> | 2008-12-09 22:36:38 -0500 |
commit | 85f334666a771680472722eee43ae0fc8730a619 (patch) | |
tree | 0a0ec4eb701b86a0504827ce496f2bdcf541cb72 | |
parent | 437f2f91d6597c67662f847d9ed4c99cb3c440cd (diff) |
tracehook: exec double-reporting fix
The patch 6341c39 "tracehook: exec" introduced a small regression in
2.6.27 regarding binfmt_misc exec event reporting. Since the reporting
is now done in the common search_binary_handler() function, an exec
of a misc binary will result in two (or possibly multiple) exec events
being reported, instead of just a single one, because the misc handler
contains a recursive call to search_binary_handler.
To add to the confusion, if PTRACE_O_TRACEEXEC is not active, the multiple
SIGTRAP signals will in fact cause only a single ptrace intercept, as the
signals are not queued. However, if PTRACE_O_TRACEEXEC is on, the debugger
will actually see multiple ptrace intercepts (PTRACE_EVENT_EXEC).
The test program included below demonstrates the problem.
This change fixes the bug by calling tracehook_report_exec() only in the
outermost search_binary_handler() call (bprm->recursion_depth == 0).
The additional change to restore bprm->recursion_depth after each binfmt
load_binary call is actually superfluous for this bug, since we test the
value saved on entry to search_binary_handler(). But it keeps the use of
of the depth count to its most obvious expected meaning. Depending on what
binfmt handlers do in certain cases, there could have been false-positive
tests for recursion limits before this change.
/* Test program using PTRACE_O_TRACEEXEC.
This forks and exec's the first argument with the rest of the arguments,
while ptrace'ing. It expects to see one PTRACE_EVENT_EXEC stop and
then a successful exit, with no other signals or events in between.
Test for kernel doing two PTRACE_EVENT_EXEC stops for a binfmt_misc exec:
$ gcc -g traceexec.c -o traceexec
$ sudo sh -c 'echo :test:M::foobar::/bin/cat: > /proc/sys/fs/binfmt_misc/register'
$ echo 'foobar test' > ./foobar
$ chmod +x ./foobar
$ ./traceexec ./foobar; echo $?
==> good <==
foobar test
0
$
==> bad <==
foobar test
unexpected status 0x4057f != 0
3
$
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
static void
wait_for (pid_t child, int expect)
{
int status;
pid_t p = wait (&status);
if (p != child)
{
perror ("wait");
exit (2);
}
if (status != expect)
{
fprintf (stderr, "unexpected status %#x != %#x\n", status, expect);
exit (3);
}
}
int
main (int argc, char **argv)
{
pid_t child = fork ();
if (child < 0)
{
perror ("fork");
return 127;
}
else if (child == 0)
{
ptrace (PTRACE_TRACEME);
raise (SIGUSR1);
execv (argv[1], &argv[1]);
perror ("execve");
_exit (127);
}
wait_for (child, W_STOPCODE (SIGUSR1));
if (ptrace (PTRACE_SETOPTIONS, child,
0L, (void *) (long) PTRACE_O_TRACEEXEC) != 0)
{
perror ("PTRACE_SETOPTIONS");
return 4;
}
if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0)
{
perror ("PTRACE_CONT");
return 5;
}
wait_for (child, W_STOPCODE (SIGTRAP | (PTRACE_EVENT_EXEC << 8)));
if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0)
{
perror ("PTRACE_CONT");
return 6;
}
wait_for (child, W_EXITCODE (0, 0));
return 0;
}
Reported-by: Arnd Bergmann <arnd@arndb.de>
CC: Ulrich Weigand <ulrich.weigand@de.ibm.com>
Signed-off-by: Roland McGrath <roland@redhat.com>
-rw-r--r-- | fs/exec.c | 10 |
1 files changed, 9 insertions, 1 deletions
@@ -1159,6 +1159,7 @@ EXPORT_SYMBOL(remove_arg_zero); | |||
1159 | */ | 1159 | */ |
1160 | int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | 1160 | int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) |
1161 | { | 1161 | { |
1162 | unsigned int depth = bprm->recursion_depth; | ||
1162 | int try,retval; | 1163 | int try,retval; |
1163 | struct linux_binfmt *fmt; | 1164 | struct linux_binfmt *fmt; |
1164 | #ifdef __alpha__ | 1165 | #ifdef __alpha__ |
@@ -1219,8 +1220,15 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) | |||
1219 | continue; | 1220 | continue; |
1220 | read_unlock(&binfmt_lock); | 1221 | read_unlock(&binfmt_lock); |
1221 | retval = fn(bprm, regs); | 1222 | retval = fn(bprm, regs); |
1223 | /* | ||
1224 | * Restore the depth counter to its starting value | ||
1225 | * in this call, so we don't have to rely on every | ||
1226 | * load_binary function to restore it on return. | ||
1227 | */ | ||
1228 | bprm->recursion_depth = depth; | ||
1222 | if (retval >= 0) { | 1229 | if (retval >= 0) { |
1223 | tracehook_report_exec(fmt, bprm, regs); | 1230 | if (depth == 0) |
1231 | tracehook_report_exec(fmt, bprm, regs); | ||
1224 | put_binfmt(fmt); | 1232 | put_binfmt(fmt); |
1225 | allow_write_access(bprm->file); | 1233 | allow_write_access(bprm->file); |
1226 | if (bprm->file) | 1234 | if (bprm->file) |