LinuxLists.cc - Leaking path for search_binary

2018-09-25 17:27:51

Subject: Leaking path for search_binary_handler

Kernel Version: 4.18.5

Problem Description:

search_binary_handler() should be called after setting bprm using prepare_binprm(),
and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(),
which can make a decision that binfmt cares.

We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision.

- Tong

2018-09-26 12:59:35

by Stephen Smalley

[permalink] [raw]

Subject: Re: Leaking path for search_binary_handler

On 09/25/2018 01:27 PM, Tong Zhang wrote:
> Kernel Version: 4.18.5
>
> Problem Description:
>
> search_binary_handler() should be called after setting bprm using prepare_binprm(),
> and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(),
> which can make a decision that binfmt cares.
>
> We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision.

Do you mean the MISC_FMT_CREDENTIALS case? That looks intentional to me,
as noted in the comment there, and as per
Documentation/admin-guide/binfmt-misc.rst's discussion of the
credentials flag.