aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoland McGrath <roland@redhat.com>2008-12-09 22:36:38 -0500
committerRoland McGrath <roland@redhat.com>2008-12-09 22:36:38 -0500
commit85f334666a771680472722eee43ae0fc8730a619 (patch)
tree0a0ec4eb701b86a0504827ce496f2bdcf541cb72
parent437f2f91d6597c67662f847d9ed4c99cb3c440cd (diff)
tracehook: exec double-reporting fix
The patch 6341c39 "tracehook: exec" introduced a small regression in 2.6.27 regarding binfmt_misc exec event reporting. Since the reporting is now done in the common search_binary_handler() function, an exec of a misc binary will result in two (or possibly multiple) exec events being reported, instead of just a single one, because the misc handler contains a recursive call to search_binary_handler. To add to the confusion, if PTRACE_O_TRACEEXEC is not active, the multiple SIGTRAP signals will in fact cause only a single ptrace intercept, as the signals are not queued. However, if PTRACE_O_TRACEEXEC is on, the debugger will actually see multiple ptrace intercepts (PTRACE_EVENT_EXEC). The test program included below demonstrates the problem. This change fixes the bug by calling tracehook_report_exec() only in the outermost search_binary_handler() call (bprm->recursion_depth == 0). The additional change to restore bprm->recursion_depth after each binfmt load_binary call is actually superfluous for this bug, since we test the value saved on entry to search_binary_handler(). But it keeps the use of of the depth count to its most obvious expected meaning. Depending on what binfmt handlers do in certain cases, there could have been false-positive tests for recursion limits before this change. /* Test program using PTRACE_O_TRACEEXEC. This forks and exec's the first argument with the rest of the arguments, while ptrace'ing. It expects to see one PTRACE_EVENT_EXEC stop and then a successful exit, with no other signals or events in between. Test for kernel doing two PTRACE_EVENT_EXEC stops for a binfmt_misc exec: $ gcc -g traceexec.c -o traceexec $ sudo sh -c 'echo :test:M::foobar::/bin/cat: > /proc/sys/fs/binfmt_misc/register' $ echo 'foobar test' > ./foobar $ chmod +x ./foobar $ ./traceexec ./foobar; echo $? ==> good <== foobar test 0 $ ==> bad <== foobar test unexpected status 0x4057f != 0 3 $ */ #include <stdio.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <unistd.h> #include <signal.h> #include <stdlib.h> static void wait_for (pid_t child, int expect) { int status; pid_t p = wait (&status); if (p != child) { perror ("wait"); exit (2); } if (status != expect) { fprintf (stderr, "unexpected status %#x != %#x\n", status, expect); exit (3); } } int main (int argc, char **argv) { pid_t child = fork (); if (child < 0) { perror ("fork"); return 127; } else if (child == 0) { ptrace (PTRACE_TRACEME); raise (SIGUSR1); execv (argv[1], &argv[1]); perror ("execve"); _exit (127); } wait_for (child, W_STOPCODE (SIGUSR1)); if (ptrace (PTRACE_SETOPTIONS, child, 0L, (void *) (long) PTRACE_O_TRACEEXEC) != 0) { perror ("PTRACE_SETOPTIONS"); return 4; } if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0) { perror ("PTRACE_CONT"); return 5; } wait_for (child, W_STOPCODE (SIGTRAP | (PTRACE_EVENT_EXEC << 8))); if (ptrace (PTRACE_CONT, child, 0L, 0L) != 0) { perror ("PTRACE_CONT"); return 6; } wait_for (child, W_EXITCODE (0, 0)); return 0; } Reported-by: Arnd Bergmann <arnd@arndb.de> CC: Ulrich Weigand <ulrich.weigand@de.ibm.com> Signed-off-by: Roland McGrath <roland@redhat.com>
-rw-r--r--fs/exec.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 4e834f16d9da..ec5df9a38313 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1159,6 +1159,7 @@ EXPORT_SYMBOL(remove_arg_zero);
1159 */ 1159 */
1160int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) 1160int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1161{ 1161{
1162 unsigned int depth = bprm->recursion_depth;
1162 int try,retval; 1163 int try,retval;
1163 struct linux_binfmt *fmt; 1164 struct linux_binfmt *fmt;
1164#ifdef __alpha__ 1165#ifdef __alpha__
@@ -1219,8 +1220,15 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1219 continue; 1220 continue;
1220 read_unlock(&binfmt_lock); 1221 read_unlock(&binfmt_lock);
1221 retval = fn(bprm, regs); 1222 retval = fn(bprm, regs);
1223 /*
1224 * Restore the depth counter to its starting value
1225 * in this call, so we don't have to rely on every
1226 * load_binary function to restore it on return.
1227 */
1228 bprm->recursion_depth = depth;
1222 if (retval >= 0) { 1229 if (retval >= 0) {
1223 tracehook_report_exec(fmt, bprm, regs); 1230 if (depth == 0)
1231 tracehook_report_exec(fmt, bprm, regs);
1224 put_binfmt(fmt); 1232 put_binfmt(fmt);
1225 allow_write_access(bprm->file); 1233 allow_write_access(bprm->file);
1226 if (bprm->file) 1234 if (bprm->file)