Re: [PATCH] fs/binfmt_misc.c: do not allow offset overflow

From: Thadeu Lima de Souza Cascardo
Date: Tue May 29 2018 - 18:25:32 EST


On Tue, May 29, 2018 at 03:08:54PM -0700, Andrew Morton wrote:
> On Tue, 29 May 2018 10:56:48 -0300 Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> wrote:
>
> > It's possible to overflow the offset to get a negative value, which might
> > crash the system, or possibly leak kernel data.
>
> I think the missing information here is "when registering a new
> binfmt_misc binary type", yes?
>

Yes, when registering a new type.

[...]
> > Cc: stable@xxxxxxxxxxxxxxx
>
> Registering a handler is a priveleged operation. As such, I don't
> think a -stable backport is needed?
>

Not when we take containers in mind. We might question the permission to mount
a binfmt_misc inside a container, that may already have left open other ways of
exploiting the system. But I would rather see this closed on my stable systems.

Cascardo.