代码拉取完成,页面将自动刷新
【标题描述】execv/uselib和remount可能导致内核产生WARNING
WARNING: CPU: 3 PID: 3188 at fs/exec.c:922 do_open_execat+0x176/0x440 fs/exec.c:922
Modules linked in:
CPU: 3 PID: 3188 Comm: syz-executor104 Not tainted 5.10.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:do_open_execat+0x176/0x440 fs/exec.c:922
Code: df e8 2e c9 f7 ff 44 0f b7 33 bf 00 80 ff ff 66 41 81 e6 00 f0 44 89 f6 e8 17 8b c7 ff 66 41 81 fe 00 80 74 7d e8 5a 93 c7 ff <0f> 0b 48 c7 c3 f3 ff ff ff e8 4c 93 c7 ff 4c 89 e7 49 89 dc e8 31
RSP: 0018:ffff888107a8fcf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88800a5b7310 RCX: ffffffffa92e8166
RDX: ffff888106e2c380 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 1ffff11020f51fa0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000001 R12: ffff8880073c8480
R13: ffff8880bf00d500 R14: ffff888103b08620 R15: 0000000000000000
FS: 00007f595f081700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b03b0 CR3: 000000010621a005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
bprm_execve.part.0+0x4f/0x2b0 fs/exec.c:1801
bprm_execve+0xf1/0x140 fs/exec.c:1795
do_execveat_common+0x360/0x4a0 fs/exec.c:1915
do_execveat fs/exec.c:1994 [inline]
__do_sys_execveat fs/exec.c:2070 [inline]
__se_sys_execveat fs/exec.c:2062 [inline]
__x64_sys_execveat+0x8c/0xa0 fs/exec.c:2062
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x454649
Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f595f080d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000142
RAX: ffffffffffffffda RBX: 00000000006d94c8 RCX: 0000000000454649
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 00000000006d94c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 0000000000000000 R14: 00000000006d94c0 R15: 00007ffd555653d0
---[ end trace ea0e86e27b774ef9 ]---
【环境信息】
硬件信息:
NA
软件信息:
OLK5.10
【问题复现步骤】
[ 19.624098] WARNING: CPU: 1 PID: 2515 at fs/exec.c:933 do_open_execat+0x1ee/0x390
[ 19.626444] Modules linked in:
[ 19.627442] CPU: 1 PID: 2515 Comm: repo Not tainted 5.18.0-rc6-00092-gafea41c68705-dirty #495
[ 19.630112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc314
[ 19.633969] RIP: 0010:do_open_execat+0x1ee/0x390
[ 19.634615] Code: 65 48 33 04 25 28 00 00 00 0f 85 ae 01 00 00 48 83 c4 20 4c 89 e0 5b 41 5c c3 48 83 05 d2 90 fc 0b 01 48 83 05 d2 90 fc8
[ 19.637103] RSP: 0018:ffffc90001493e40 EFLAGS: 00010202
[ 19.637831] RAX: 0000000000008000 RBX: ffff888100bab000 RCX: 0000000000000000
[ 19.638806] RDX: ffff88817a205b40 RSI: ffff88817dff0800 RDI: 0000000000000000
[ 19.639780] RBP: 00000000ffffff9c R08: ffff888237cac0a8 R09: 0000000000000004
[ 19.640756] R10: 00000000000002f1 R11: 000000048aad5d08 R12: ffff88817ea47700
[ 19.641727] R13: ffff888100bab000 R14: 0000000000000000 R15: 0000000000000001
[ 19.642671] FS: 00007f4398c0e440(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000
[ 19.643736] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 19.644504] CR2: 00007ffd176e4ba8 CR3: 00000001748e7000 CR4: 00000000000006e0
[ 19.645439] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 19.646382] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 19.647325] Call Trace:
[ 19.647677] <TASK>
[ 19.647970] bprm_execve+0x1c6/0xa60
[ 19.648444] ? copy_string_kernel+0xc9/0x3c0
[ 19.649030] do_execveat_common.isra.0+0x2df/0x320
[ 19.649683] __x64_sys_execve+0x4b/0x70
[ 19.650194] do_syscall_64+0x35/0x80
[ 19.650689] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 19.651355] RIP: 0033:0x7f43984d5027
[ 19.651852] Code: ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d7 0f 1f 84 00 00 00 00 00 b8 3b 00 00 008
[ 19.654291] RSP: 002b:00007ffd4615f6f8 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
[ 19.655304] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f43984d5027
[ 19.656255] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000040079f
[ 19.657206] RBP: 00007ffd4615f710 R08: 00007f4398c0e440 R09: 00007f4398811090
[ 19.658162] R10: 0000000000000003 R11: 0000000000000202 R12: 0000000000400520
[ 19.659116] R13: 00007ffd4615f7f0 R14: 0000000000000000 R15: 0000000000000000
[ 19.660074] </TASK>
[ 19.660376] ---[ end trace 0000000000000000 ]---
[ 19.661008] exec my_bin 4 0 tmpfs
【附件信息】
diff
diff --git a/fs/exec.c b/fs/exec.c
index e3e55d5e0be1..388d38b87e9a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -897,6 +897,7 @@ EXPORT_SYMBOL(transfer_args_to_stack);
#endif /* CONFIG_MMU */
+#include <linux/delay.h>
static struct file *do_open_execat(int fd, struct filename *name, int flags)
{
struct file *file;
@@ -925,9 +926,15 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
* and check again at the very end too.
*/
err = -EACCES;
+ if (!strcmp(file->f_path.dentry->d_iname, "my_bin")) {
+ pr_err("wait ...\n");
+ msleep(3000);
+ }
if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
- path_noexec(&file->f_path)))
+ path_noexec(&file->f_path))) {
+ pr_err("exec %pd %d %d %s\n", file->f_path.dentry, file->f_path.mnt->mnt_flags & MNT_NOEXEC, file->f_path.mnt->mnt_sb->s_iflags & SB_I_NOEXEC, file->f_path.mnt->mnt_sb->s_type->name);
goto exit;
+ }
err = deny_write_access(file);
if (err)
diff --git a/fs/namei.c b/fs/namei.c
index 509657fdf4f5..443e2fe6f6c4 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3095,6 +3095,8 @@ static int may_open(struct user_namespace *mnt_userns, const struct path *path,
case S_IFREG:
if ((acc_mode & MAY_EXEC) && path_noexec(path))
return -EACCES;
+ if (!strcmp(path->dentry->d_iname, "my_bin"))
+ pr_err("check pass %d %d\n", acc_mode & MAY_EXEC, path_noexec(path));
break;
}
repo.c
#define _GNU_SOURCE /* See feature_test_macros(7) */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mount.h>
#include <getopt.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/xattr.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#define __NR_uselib 86
int main(void)
{
int ret;
system("umount temp 2>&1 > /dev/null");
system("mount -t tmpfs none temp");
system("echo 12312 > temp/my_bin && chmod +x temp/my_bin");
ret = fork();
if (ret < 0) {
perror("fork fail");
return 0;
}
if (ret == 0) {
system("mount -oremount,noexec temp");
exit(0);
} else {
execve("/root/temp/my_bin", NULL, 0);
//syscall(__NR_uselib, "/root/temp/my_bin");
}
return 0;
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论
FileDragTip