The misc format handler is configured to work in many boards and distributions, exposing a volnurability that enables an attacker with a temporary root access to configure the system to gain a hidden persistent root acces. This can be easily demonstrated using https://github.com/toffan/binfmt_misc .
According to binfmt_misc documentation (https://lwn.net/Articles/679310/), the handler is used to execute more binary formats, e.g. execs compiled for different architectures. After this patch, every mentioned example in the documentation shall work. I tested this patch using a "positive example" - running and ARM executable on an x86 machine using a qemu-arm misc handler, and a "negative example" of running the demostration by toffan I mention above. Before the patch both examples work, and after the patch only the positive example work where the volnurability is prevented. Signed-off-by: Carmeli Tamir <carmeli.ta...@gmail.com> --- fs/binfmt_elf.c | 2 +- fs/binfmt_misc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index d4e11b2e04f6..3a2afe84943c 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -2411,7 +2411,7 @@ static int elf_core_dump(struct coredump_params *cprm) static int __init init_elf_binfmt(void) { - register_binfmt(&elf_format); + insert_binfmt(&elf_format); return 0; } diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c index b8e145552ec7..f4a9e1154cae 100644 --- a/fs/binfmt_misc.c +++ b/fs/binfmt_misc.c @@ -859,7 +859,7 @@ static int __init init_misc_binfmt(void) { int err = register_filesystem(&bm_fs_type); if (!err) - insert_binfmt(&misc_format); + register_binfmt(&misc_format); return err; } -- 2.21.0
