Leaking path for search_binary_handler

From: Tong Zhang
Date: Tue Sep 25 2018 - 13:27:13 EST


Kernel Version: 4.18.5

Problem Description:

search_binary_handler() should be called after setting bprm using prepare_binprm(),
and in prepare_binprm(), thereâs a LSM hook security_bprm_set_creds(),
which can make a decision that binfmt cares.

We found a leaking path In fs/binfmt_misc.c:235, that donât ask LSMâs decision.

- Tong