Leaking path for search_binary_handler

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 26 12:59:38 UTC 2018


On 09/25/2018 01:27 PM, Tong Zhang wrote:
> Kernel Version: 4.18.5
> 
> Problem Description:
> 
> search_binary_handler() should be called after setting bprm using prepare_binprm(),
> and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(),
> which can make a decision that binfmt cares.
> 
> We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision.

Do you mean the MISC_FMT_CREDENTIALS case? That looks intentional to me, 
as noted in the comment there, and as per 
Documentation/admin-guide/binfmt-misc.rst's discussion of the 
credentials flag.



More information about the Linux-security-module-archive mailing list