Bug in Linux Kernel 2.2.6 [ CONFIG_BINFMT_MISC ]

Olaf Titz (sagrawal@hss.hns.com)
Sun, 25 Apr 1999 03:03:47 +0530 (IST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marc Slemko: "Re: Linus on Linux, Apache and Threads"
Previous message: Olaf Titz: "Re: Linus on Linux, Apache and Threads"

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--1435209970-1919638603-924989627=:472
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hi,

We have found a *bug* which is pretty serious. It is related to adding
new binary formats using CONFIG_BINFMT_MISC when the support for
CONFIG_BINFMT_MISC is compiled as a module.

A person can register a new binary format which may override the existing
binary formats and hence lead to system lockups or reboots.
We have tested it on various 2.2.6 Linux boxes and the problem is reproducible.

This is a simple test :

1) Compile support for CONFIG_BINFMT_MISC as a module.

2)
[root@sagrawal] /usr/src/linux_new# lsmod
Module Size Used by
binfmt_misc 3108 0

3)
[root@sagrawal] echo ":perl:M::E:\x00:/usr/bin/perl:" > /proc/sys/fs/binfmt_misc/register

4)
Try running any ELF binary and the system reboots.

We have tracked down this problem. The problem is that register_binfmt()
in /usr/src/linux/fs/exec.c adds the new binary format to the beginning of the
linked list. The 'echo' statement above , overrides the default ELF binary
handling as the magic/mask pair matches the magic number(ELF) for any ELF binary.
It is very impractical to expect that a person knows about all existing binary
formats before adding a new binary format , hence we have patched exec.c
to append the new binary formats at the end of the link list.

* We have tested this patch and it is running on all our machines without any
problems when CONFIG_BINFMT_MISC is compiled into the kernel or as a module.

Also we would like to point out that there are some flaws in
binfmt_misc.c

/usr/src/linux/fs/binfmt_misc.c
>> snip Line Number 310
if ((*sp & ~('E' | 'M')) || (sp[1] != del))
err = -EINVAL;

Even a string echoed with type I or A can work as M and E respectively.
There should be a cleaner way of doing things :-)

Kindly find attached the patch along with this mail and let us know
of any problems you face. It is working very well for us without nasty
reboots ;-))

Cheers,
Sharad Agrawal
Suman Saraf
Hughes Software Systems , India

--1435209970-1919638603-924989627=:472
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="patch.exec.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.9904250303470.472@sagrawal.hss.hns.com>
Content-Description:
Content-Disposition: attachment; filename="patch.exec.c"

LS0tIGV4ZWMuYwlTdW4gQXByIDI1IDAyOjMzOjQxIDE5OTkNCisrKyBleGVj
LmMub3VycwlTdW4gQXByIDI1IDAyOjMyOjI4IDE5OTkNCkBAIC01Myw5ICs1
Myw2IEBADQogDQogdm9pZCBfX2luaXQgYmluZm10X3NldHVwKHZvaWQpDQog
ew0KLSNpZmRlZiBDT05GSUdfQklORk1UX01JU0MNCi0JaW5pdF9taXNjX2Jp
bmZtdCgpOw0KLSNlbmRpZg0KIA0KICNpZmRlZiBDT05GSUdfQklORk1UX0VM
Rg0KIAlpbml0X2VsZl9iaW5mbXQoKTsNCkBAIC04MSw4ICs3OCwxMyBAQA0K
IAlpbml0X2VtODZfYmluZm10KCk7DQogI2VuZGlmDQogDQorI2lmZGVmIENP
TkZJR19CSU5GTVRfTUlTQw0KKwlpbml0X21pc2NfYmluZm10KCk7DQorI2Vu
ZGlmDQorDQogCS8qIFRoaXMgY2Fubm90IGJlIGNvbmZpZ3VyZWQgb3V0IG9m
IHRoZSBrZXJuZWwgKi8NCiAJaW5pdF9zY3JpcHRfYmluZm10KCk7DQorDQog
fQ0KIA0KIGludCByZWdpc3Rlcl9iaW5mbXQoc3RydWN0IGxpbnV4X2JpbmZt
dCAqIGZtdCkNCkBAIC05OCw4ICsxMDAsOCBAQA0KIAkJCXJldHVybiAtRUJV
U1k7DQogCQl0bXAgPSAmKCp0bXApLT5uZXh0Ow0KIAl9DQotCWZtdC0+bmV4
dCA9IGZvcm1hdHM7DQotCWZvcm1hdHMgPSBmbXQ7DQorDQorCSgqdG1wKT1m
bXQ7DQogCXJldHVybiAwOwkNCiB9DQogDQo=
--1435209970-1919638603-924989627=:472
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="patch.CREDITS"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.9904250303471.472@sagrawal.hss.hns.com>
Content-Description:
Content-Disposition: attachment; filename="patch.CREDITS"

LS0tIENSRURJVFMub3JpZwlTdW4gQXByIDI1IDAyOjM2OjA2IDE5OTkNCisr
KyBDUkVESVRTCVN1biBBcHIgMjUgMDI6Mzg6NDAgMTk5OQ0KQEAgLTIyNDAs
NiArMjI0MCwyMiBAQA0KIFM6IDk1NTYwIE1vbnRzb3VsdA0KIFM6IEZyYW5j
ZQ0KIA0KK046IFNoYXJhZCBBZ3Jhd2FsDQorRTogc2FncmF3YWxAaHNzLmhu
cy5jb20NCitEOiBFeGVjIHBhdGNoDQorUzogSHVnaGVzIFNvZnR3YXJlIFN5
c3RlbXMNCitTOiBQbG90IDMxLCBTZWN0b3IgMTggLCBFbGVjdHJvbmljIENp
dHkNCitTOiBHdXJnYW9uLCBIYXJ5YW5hDQorUzogSW5kaWENCisgDQorTjog
U3VtYW4gU2FyYWYNCitFOiBzc2FyYWZAaHNzLmhucy5jb20NCitEOiBFeGVj
IHBhdGNoDQorUzogSHVnaGVzIFNvZnR3YXJlIFN5c3RlbXMNCitTOiBQbG90
IDMxLCBTZWN0b3IgMTggLCBFbGVjdHJvbmljIENpdHkNCitTOiBHdXJnYW9u
LCBIYXJ5YW5hDQorUzogSW5kaWENCisNCiAjIERvbid0IGFkZCB5b3VyIG5h
bWUgaGVyZSwgdW5sZXNzIHlvdSByZWFsbHkgX2FyZV8gYWZ0ZXIgTWFyYw0K
ICMgYWxwaGFiZXRpY2FsbHkuIExlb25hcmQgdXNlZCB0byBiZSB2ZXJ5IHBy
b3VkIG9mIGJlaW5nIHRoZSANCiAjIGxhc3QgZW50cnksIGFuZCBoZSdsbCBn
ZXQgcG9zaXRpdmVseSBwaXNzZWQgaWYgaGUgY2FuJ3QgZXZlbg0K
--1435209970-1919638603-924989627=:472--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marc Slemko: "Re: Linus on Linux, Apache and Threads"
Previous message: Olaf Titz: "Re: Linus on Linux, Apache and Threads"