Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4050159imm; Tue, 25 Sep 2018 10:27:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV63XTopM/Z06GiXwASvF3PDWm6hFeopsIwjvAc1HOfQIat19jBlrpkePqO8kR+QHKMSP5JAZ X-Received: by 2002:a17:902:b189:: with SMTP id s9-v6mr2182379plr.188.1537896471169; Tue, 25 Sep 2018 10:27:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537896471; cv=none; d=google.com; s=arc-20160816; b=k1I8s0RpHrx2rKr22l2Xx6nOVGYA/Duh7mYIwAyKIr7D0AZCI8B2IPVpKN10niMcRS JEUQ8u/8uBPc+4MtkbXGvgFVaQGP4eoJOx4wmFHpmeAMKvcAsG+rAs4/eukxEIgv3fIH YdIFCKS9CaOV9Gyl2Jq/Y7WWEI3RBVckjAEvdBEM6JUSCB8zBPXS41xfbzcVdfV3fEVe XTEPBfHZUKFeshV96sCd2Ryt0aYUNDMATuBiT3OLwbGJ/+yhzUdKoceTLOWgYK887ir0 Leh4FYkUNM6kFYqhuhR2xlLTPnRVc9PBnuvxqS4QEcOubpF+dv5IDFhIDaNwgqgfgcCT muzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:cc:date:message-id:subject :mime-version:content-transfer-encoding:from; bh=8MrpE9tNkokduyXGusvvdRuJxMl56+Ee2nrWMF0Xl+A=; b=pKamNlc9p9Lpo7mM6e4UF9Ixqz8zDDxD3KNrXgeQALXFvgERwrVf54D2TWYwBK+aa4 s7Ifb/7g+eIxhWXklC99E5XT19crykAX730HUskr7Q0TEv8fKDDNl4UjCNXZpfv/KmAH 5RHBJPiatGKv+EeBkHHRGGM2WRuIqLlM8FcDo/gpGChH5DZFdwqhCWzDNyDR7lOH3aoI yzkVUBz6I+8+RFF7ymAL2QimQHPQwiHrfq7CPMYd5lxLJqumEiIdudKuNDFOgeRMs0/P 39Gd7ZR+cwqZ8Jfog2wP/aWaOHau7asfIrOpJlEhuCb4M5dx0Ri4OxEdjCeNRK9cAnHB P/Hg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vt.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h18-v6si2646377pgl.398.2018.09.25.10.27.35; Tue, 25 Sep 2018 10:27:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vt.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728238AbeIYXfl convert rfc822-to-8bit (ORCPT + 99 others); Tue, 25 Sep 2018 19:35:41 -0400 Received: from outbound.smtp.vt.edu ([198.82.183.121]:41868 "EHLO omr1.cc.vt.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727677AbeIYXfk (ORCPT ); Tue, 25 Sep 2018 19:35:40 -0400 Received: from mr3.cc.vt.edu (mr3.cc.vt.edu [IPv6:2607:b400:92:8500:0:7f:b804:6b0a]) by omr1.cc.vt.edu (8.14.4/8.14.4) with ESMTP id w8PHRAm9026054 for ; Tue, 25 Sep 2018 13:27:10 -0400 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by mr3.cc.vt.edu (8.14.7/8.14.7) with ESMTP id w8PHR44g020903 for ; Tue, 25 Sep 2018 13:27:10 -0400 Received: by mail-qk1-f197.google.com with SMTP id z17-v6so27169803qka.9 for ; Tue, 25 Sep 2018 10:27:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:cc:to; bh=oEPox95A3KAcPRm+YVgLE+w2COnqQQTopS50DnFDT04=; b=Dh55qip8fp4oJR94W2mU2TP/DmHeGOlSe28ikWX0s27Z/16XGrMLkvHD464H2XSKUp zz/YNUOZs0cUnLLn6tj2xzndjiNl3VessaBeziWYwqH4pZjsLR2FbkpD9Uzy5TxZGTf9 ZJB+mKzvjrArtHpN32AVyImIEnXcJwHyYf6dsUAvL+4+gR2nbB+3guNKzDYOwSIWy23C pz1qUPRAqwkryss1Qi0+7OYcaKSgBwPqJl3JFNBtvD1RjZ7+kW/VfKBiWXSjRoE8n04T 5RbT38cCwYaOAPD21eLC/tRfZgZ6BkfJ16OGr2LNltOGtshRrfTW2LmSNnH/ifcmmW0c pRWw== X-Gm-Message-State: ABuFfoiwNnA1Satdg67mjmVPCXYKZ53IzAVrNTFMDsCqTRnCQUFaUocC LeB2JGD/HQcoNWjDcWS80I1NudjJBMrRwOAUVT6gQX8QceHUeLD226CQYTQpsY0SLTirD9d1Tma tyIsHI94UOF4X2W/EJDe0wCTThpHM4c892AI= X-Received: by 2002:aed:22cc:: with SMTP id q12-v6mr1564279qtc.145.1537896424842; Tue, 25 Sep 2018 10:27:04 -0700 (PDT) X-Received: by 2002:aed:22cc:: with SMTP id q12-v6mr1564270qtc.145.1537896424703; Tue, 25 Sep 2018 10:27:04 -0700 (PDT) Received: from [192.168.15.200] (linker.cs.vt.edu. [128.173.236.60]) by smtp.gmail.com with ESMTPSA id k71-v6sm2140801qkh.30.2018.09.25.10.27.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Sep 2018 10:27:04 -0700 (PDT) From: Tong Zhang Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\)) Subject: Leaking path for search_binary_handler Message-Id: Date: Tue, 25 Sep 2018 13:27:03 -0400 Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, wenbo.s@samsung.com To: viro@zeniv.linux.org.uk X-Mailer: Apple Mail (2.3445.100.39) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kernel Version: 4.18.5 Problem Description: search_binary_handler() should be called after setting bprm using prepare_binprm(), and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(), which can make a decision that binfmt cares. We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision. - Tong