diff options
author | Neil Horman <nhorman@tuxdriver.com> | 2009-09-23 18:56:54 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-09-24 10:21:00 -0400 |
commit | 725eae32df7754044809973034429a47e6035158 (patch) | |
tree | 96a66c65a085940a19374ee02c26fb8f1931a6be /fs | |
parent | ae6d2ed7bb3877ff35b9569402025f40ea2e1803 (diff) |
exec: make do_coredump() more resilient to recursive crashes
Change how we detect recursive dumps.
Currently we have a mechanism by which we try to compare pathnames of the
crashing process to the core_pattern path. This is broken for a dozen
reasons, and just doesn't work in any sort of robust way.
I'm replacing it with the use of a 0 RLIMIT_CORE value. Since helper apps
set RLIMIT_CORE to zero, we don't write out core files for any process
with that particular limit set. It the core_pattern is a pipe, any
non-zero limit is translated to RLIM_INFINITY.
This allows complete dumps to be captured, but prevents infinite recursion
in the event that the core_pattern process itself crashes.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Earl Chew <earl_chew@agilent.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/exec.c | 45 |
1 files changed, 23 insertions, 22 deletions
@@ -1799,38 +1799,39 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) | |||
1799 | lock_kernel(); | 1799 | lock_kernel(); |
1800 | ispipe = format_corename(corename, signr); | 1800 | ispipe = format_corename(corename, signr); |
1801 | unlock_kernel(); | 1801 | unlock_kernel(); |
1802 | /* | 1802 | |
1803 | * Don't bother to check the RLIMIT_CORE value if core_pattern points | ||
1804 | * to a pipe. Since we're not writing directly to the filesystem | ||
1805 | * RLIMIT_CORE doesn't really apply, as no actual core file will be | ||
1806 | * created unless the pipe reader choses to write out the core file | ||
1807 | * at which point file size limits and permissions will be imposed | ||
1808 | * as it does with any other process | ||
1809 | */ | ||
1810 | if ((!ispipe) && (core_limit < binfmt->min_coredump)) | 1803 | if ((!ispipe) && (core_limit < binfmt->min_coredump)) |
1811 | goto fail_unlock; | 1804 | goto fail_unlock; |
1812 | 1805 | ||
1813 | if (ispipe) { | 1806 | if (ispipe) { |
1807 | if (core_limit == 0) { | ||
1808 | /* | ||
1809 | * Normally core limits are irrelevant to pipes, since | ||
1810 | * we're not writing to the file system, but we use | ||
1811 | * core_limit of 0 here as a speacial value. Any | ||
1812 | * non-zero limit gets set to RLIM_INFINITY below, but | ||
1813 | * a limit of 0 skips the dump. This is a consistent | ||
1814 | * way to catch recursive crashes. We can still crash | ||
1815 | * if the core_pattern binary sets RLIM_CORE = !0 | ||
1816 | * but it runs as root, and can do lots of stupid things | ||
1817 | * Note that we use task_tgid_vnr here to grab the pid | ||
1818 | * of the process group leader. That way we get the | ||
1819 | * right pid if a thread in a multi-threaded | ||
1820 | * core_pattern process dies. | ||
1821 | */ | ||
1822 | printk(KERN_WARNING | ||
1823 | "Process %d(%s) has RLIMIT_CORE set to 0\n", | ||
1824 | task_tgid_vnr(current), current->comm); | ||
1825 | printk(KERN_WARNING "Aborting core\n"); | ||
1826 | goto fail_unlock; | ||
1827 | } | ||
1828 | |||
1814 | helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc); | 1829 | helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc); |
1815 | if (!helper_argv) { | 1830 | if (!helper_argv) { |
1816 | printk(KERN_WARNING "%s failed to allocate memory\n", | 1831 | printk(KERN_WARNING "%s failed to allocate memory\n", |
1817 | __func__); | 1832 | __func__); |
1818 | goto fail_unlock; | 1833 | goto fail_unlock; |
1819 | } | 1834 | } |
1820 | /* Terminate the string before the first option */ | ||
1821 | delimit = strchr(corename, ' '); | ||
1822 | if (delimit) | ||
1823 | *delimit = '\0'; | ||
1824 | delimit = strrchr(helper_argv[0], '/'); | ||
1825 | if (delimit) | ||
1826 | delimit++; | ||
1827 | else | ||
1828 | delimit = helper_argv[0]; | ||
1829 | if (!strcmp(delimit, current->comm)) { | ||
1830 | printk(KERN_NOTICE "Recursive core dump detected, " | ||
1831 | "aborting\n"); | ||
1832 | goto fail_unlock; | ||
1833 | } | ||
1834 | 1835 | ||
1835 | core_limit = RLIM_INFINITY; | 1836 | core_limit = RLIM_INFINITY; |
1836 | 1837 | ||