exec: load_script: don't blindly truncate shebang string

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

load_script() simply truncates bprm->buf and this is very wrong if the
length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently
truncate i_arg or (worse) we can execute the wrong binary if buf[2:126]
happens to be the valid executable path.

Change load_script() to return ENOEXEC if it can't find '\n' or zero in
bprm->buf. Note that '\0' can come from either
prepare_binprm()->memset() or from kernel_read(), we do not care.

Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Ben Woodard <woodard@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Oleg Nesterov and committed by

Linus Torvalds 7 years ago 8099b047 fb5bf317

+7 -3

1 changed file

expand all

binfmt_script.c

+7 -3

fs/binfmt_script.c

··· 42 42 fput(bprm->file); 43 43 bprm->file = NULL; 44 44 45 - bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; 46 - if ((cp = strchr(bprm->buf, '\n')) == NULL) 47 - cp = bprm->buf+BINPRM_BUF_SIZE-1; 45 + for (cp = bprm->buf+2;; cp++) { 46 + if (cp >= bprm->buf + BINPRM_BUF_SIZE) 47 + return -ENOEXEC; 48 + if (!*cp || (*cp == '\n')) 49 + break; 50 + } 48 51 *cp = '\0'; 52 + 49 53 while (cp > bprm->buf) { 50 54 cp--; 51 55 if ((*cp == ' ') || (*cp == '\t'))