diff options
author | Dean Deng <deandeng@google.com> | 2019-10-29 13:58:09 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2019-10-29 13:59:28 -0700 |
commit | 38330e93774e68324d8f43adb27178453dee18b6 (patch) | |
tree | 4e9ac6de2c56a4fb7b40f1947918987b244756da /pkg/sentry | |
parent | c0b8fd4b6a9fcb595f3200577b93d07737cfaacd (diff) |
Update symlink traversal limit when resolving interpreter path.
When execveat is called on an interpreter script, the symlink count for
resolving the script path should be separate from the count for resolving the
the corresponding interpreter. An ELOOP error should not occur if we do not hit
the symlink limit along any individual path, even if the total number of
symlinks encountered exceeds the limit.
Closes #574
PiperOrigin-RevId: 277358474
Diffstat (limited to 'pkg/sentry')
-rw-r--r-- | pkg/sentry/loader/elf.go | 2 | ||||
-rw-r--r-- | pkg/sentry/loader/loader.go | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/pkg/sentry/loader/elf.go b/pkg/sentry/loader/elf.go index 3ea037e4d..c2c3ec06e 100644 --- a/pkg/sentry/loader/elf.go +++ b/pkg/sentry/loader/elf.go @@ -644,6 +644,8 @@ func loadELF(ctx context.Context, args LoadArgs) (loadedELF, arch.Context, error // resolved, the interpreter should still be resolved if it is // a symlink. args.ResolveFinal = true + // Refresh the traversal limit. + *args.RemainingTraversals = linux.MaxSymlinkTraversals args.Filename = bin.interpreter d, i, err := openPath(ctx, args) if err != nil { diff --git a/pkg/sentry/loader/loader.go b/pkg/sentry/loader/loader.go index 803e7d41e..b03eeb005 100644 --- a/pkg/sentry/loader/loader.go +++ b/pkg/sentry/loader/loader.go @@ -293,6 +293,8 @@ func loadExecutable(ctx context.Context, args LoadArgs) (loadedELF, arch.Context ctx.Infof("Error loading interpreter script: %v", err) return loadedELF{}, nil, nil, nil, err } + // Refresh the traversal limit for the interpreter. + *args.RemainingTraversals = linux.MaxSymlinkTraversals default: ctx.Infof("Unknown magic: %v", hdr) return loadedELF{}, nil, nil, nil, syserror.ENOEXEC |