Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 131b2f9f authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds
Browse files

exec: kill "int depth" in search_binary_handler() 



Nobody except search_binary_handler() should touch ->recursion_depth, "int
depth" buys nothing but complicates the code, kill it.

Probably we should also kill "fn" and the !NULL check, ->load_binary
should be always defined.  And it can not go away after read_unlock() or
this code is buggy anyway.

Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Evgeniy Polyakov <zbr@ioremap.net>
Cc: Zach Levis <zml@linux.vnet.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 5d1baf3b

fs/exec.c

+4 −5
Original line number Diff line number Diff line
@@ -1370,12 +1370,11 @@ EXPORT_SYMBOL(remove_arg_zero); 
 */

int search_binary_handler(struct linux_binprm *bprm)

{

	unsigned int depth = bprm->recursion_depth;

	int try, retval;

	struct linux_binfmt *fmt;



	/* This allows 4 levels of binfmt rewrites before failing hard. */

	if (depth > 5)

	if (bprm->recursion_depth > 5)

		return -ELOOP;



	retval = security_bprm_check(bprm);
@@ -1396,9 +1395,9 @@ int search_binary_handler(struct linux_binprm *bprm) 
			if (!try_module_get(fmt->module))

				continue;

			read_unlock(&binfmt_lock);

			bprm->recursion_depth = depth + 1;

			bprm->recursion_depth++;

			retval = fn(bprm);

			bprm->recursion_depth = depth;

			bprm->recursion_depth--;

			if (retval >= 0) {

				put_binfmt(fmt);

				allow_write_access(bprm->file);

include/linux/binfmts.h

+1 −1
Original line number Diff line number Diff line
@@ -31,7 +31,7 @@ struct linux_binprm { 
#ifdef __alpha__

	unsigned int taso:1;

#endif

	unsigned int recursion_depth;

	unsigned int recursion_depth; /* only for search_binary_handler() */

	struct file * file;

	struct cred *cred;	/* new credentials */

	int unsafe;		/* how unsafe this exec is (mask of LSM_UNSAFE_*) */