Re: + fs-binfmts-better-handling-of-binfmt-loops.patch added to -mmtree

From: Zach Levis
Date: Thu Aug 01 2013 - 12:02:35 EST

Quoting Oleg Nesterov <oleg@xxxxxxxxxx>:

On 07/31, Oleg Nesterov wrote:

> From: Zach Levis <zml@xxxxxxxxxxxxxxxxxx>
> Subject: fs/binfmts: better handling of binfmt loops
> With these changes, when a binfmt loop is encountered, the ELOOP will
> propagate back to the 0 depth. At this point the argv and argc values
> will be reset to what they were originally and an attempt is made to
> continue with the following binfmt handlers.

I must admit, I do not really understand why do we want to recover
after pr_err(). Perhaps the changelog could say a bit more.

And still can't. Probably I missed something, but it seems that
this tries to "fix" the wrong /proc/sys/fs/binfmt_misc/register...

So an example of what this would be used for (going into commit message of a v2 with your earlier suggestions):
A qemu is configured to run 64-bit ELFs on an otherwise 32-bit system. The system's owner switches to running with 64-bit executables, but forgets to disable the binfmt_misc option that redirects 64bit ELFs to qemu. Since the qemu executable is a 64-bit ELF now, binfmt_misc keeps on matching it with the qemu rule, preventing the execution of any 64-bit binary.

With this patch, an error is printed and search_binary_handler() continues on to the next handler, allowing the original executable to run normally so the user can (hopefully) fix their misconfiguration more easily.

> +
> + copy_strings(bprm->argc_orig, *((struct user_arg_ptr *) bprm->argv_orig), bprm);

Perhaps it would be more clean to add "struct user_arg_ptr;"
into binfmts.h and avoid the typecast.

I was kinda trying to avoid exposing the struct, but yeah, that's better.

And I do not think we should ignore the possible error from
copy_strings(). Even if we know that it succeeded before, another
thread can, say, unmap this memory in between.

And since we do copy_strings() again we probably need acct_arg_size()
after remove_arg_zero() loop, although this is not that important.
I'm not sure if that's even necessary. It looks like there's copy_strings()->get_arg_page()->acct_arg_size() that's already called.

And with this patch "depth == 0" check(s) look even worse, imho we
need to cleanup this code first. And proc_exec_connector() looks
simply wrong. I'll try to make a patch.

But once again, I can be easily wrong, so please correct me.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at