From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Oleg Nesterov <oleg@redhat.com>, Ben Woodard <woodard@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 3.18 61/61] exec: load_script: don't blindly truncate shebang string
Date: Mon, 28 Jan 2019 11:26:23 -0500 [thread overview]
Message-ID: <20190128162623.59854-61-sashal@kernel.org> (raw)
In-Reply-To: <20190128162623.59854-1-sashal@kernel.org>
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ]
load_script() simply truncates bprm->buf and this is very wrong if the
length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently
truncate i_arg or (worse) we can execute the wrong binary if buf[2:126]
happens to be the valid executable path.
Change load_script() to return ENOEXEC if it can't find '\n' or zero in
bprm->buf. Note that '\0' can come from either
prepare_binprm()->memset() or from kernel_read(), we do not care.
Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Ben Woodard <woodard@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_script.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index 5027a3e14922..f62e45df2d38 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -33,10 +33,14 @@ static int load_script(struct linux_binprm *bprm)
fput(bprm->file);
bprm->file = NULL;
- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
- if ((cp = strchr(bprm->buf, '\n')) == NULL)
- cp = bprm->buf+BINPRM_BUF_SIZE-1;
+ for (cp = bprm->buf+2;; cp++) {
+ if (cp >= bprm->buf + BINPRM_BUF_SIZE)
+ return -ENOEXEC;
+ if (!*cp || (*cp == '\n'))
+ break;
+ }
*cp = '\0';
+
while (cp > bprm->buf) {
cp--;
if ((*cp == ' ') || (*cp == '\t'))
--
2.19.1
prev parent reply other threads:[~2019-01-28 16:28 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-28 16:25 [PATCH AUTOSEL 3.18 01/61] staging: iio: adc: ad7280a: handle error from __ad7280_read32() Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 02/61] ath9k: dynack: use authentication messages for 'late' ack Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 03/61] platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 04/61] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 05/61] dlm: Don't swamp the CPU with callbacks queued during recovery Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 06/61] x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 07/61] powerpc/pseries: add of_node_put() in dlpar_detach_node() Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 08/61] serial: fsl_lpuart: clear parity enable bit when disable parity Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 09/61] serial: core: Allow processing sysrq at port unlock time Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 10/61] staging:iio:ad2s90: Make probe handle spi_setup failure Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 11/61] staging: iio: ad7780: update voltage on read Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 12/61] ARM: OMAP2+: hwmod: Fix some section annotations Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 13/61] modpost: validate symbol names also in find_elf_symbol Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 14/61] perf tools: Add Hygon Dhyana support Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 15/61] soc/tegra: Don't leak device tree node reference Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 16/61] f2fs: move dir data flush to write checkpoint process Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 17/61] nfsd4: fix crash on writing v4_end_grace before nfsd startup Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 18/61] arm64: ftrace: don't adjust the LR value Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 19/61] ARM: mmp/mmp2: dt: enable the clock Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 20/61] media: DaVinci-VPBE: fix error handling in vpbe_initialize() Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 21/61] smack: fix access permissions for keyring Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 22/61] usb: hub: delay hub autosuspend if USB3 port is still link training Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 23/61] timekeeping: Use proper seqcount initializer Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 24/61] ARM: dts: Fix OMAP4430 SDP Ethernet startup Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 25/61] mips: bpf: fix encoding bug for mm_srlv32_op Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 26/61] sata_rcar: fix deferred probing Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 27/61] clk: imx6sl: ensure MMDC CH0 handshake is bypassed Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 28/61] cpuidle: big.LITTLE: fix refcount leak Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 29/61] udf: Fix BUG on corrupted inode Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 30/61] ARM: pxa: avoid section mismatch warning Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 31/61] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 32/61] ARM: mmp: fix timer_init calls Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 33/61] memstick: Prevent memstick host from getting runtime suspended during card detection Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 34/61] tty: serial: samsung: Properly set flags in autoCTS mode Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 35/61] arm64: KVM: Skip MMIO insn after emulation Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 36/61] powerpc/uaccess: fix warning/error with access_ok() Sasha Levin
2019-01-28 16:25 ` [PATCH AUTOSEL 3.18 37/61] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 38/61] drbd: narrow rcu_read_lock in drbd_sync_handshake Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 39/61] drbd: disconnect, if the wrong UUIDs are attached on a connected peer Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 40/61] drbd: skip spurious timeout (ping-timeo) when failing promote Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 41/61] drbd: Avoid Clang warning about pointless switch statment Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 42/61] video: clps711x-fb: release disp device node in probe() Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 43/61] fbdev: fbmem: behave better with small rotated displays and many CPUs Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 44/61] igb: Fix an issue that PME is not enabled during runtime suspend Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 45/61] fbdev: fbcon: Fix unregister crash when more than one framebuffer Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 46/61] NFS: nfs_compare_mount_options always compare auth flavors Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 47/61] hwmon: (lm80) fix a missing check of the status of SMBus read Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 48/61] hwmon: (lm80) fix a missing check of bus read in lm80 probe Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 49/61] crypto: ux500 - Use proper enum in cryp_set_dma_transfer Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 50/61] crypto: ux500 - Use proper enum in hash_set_dma_transfer Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 51/61] cifs: check ntwrk_buf_start for NULL before dereferencing it Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 52/61] um: Avoid marking pages with "changed protection" Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 53/61] niu: fix missing checks of niu_pci_eeprom_read Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 54/61] scripts/decode_stacktrace: only strip base path when a prefix of the path Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 55/61] ocfs2: don't clear bh uptodate for block read Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 56/61] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 57/61] gdrom: fix a memory leak bug Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 58/61] block/swim3: Fix -EBUSY error when re-opening device after unmount Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 59/61] kernel/hung_task.c: break RCU locks based on jiffies Sasha Levin
2019-01-28 16:26 ` [PATCH AUTOSEL 3.18 60/61] fs/epoll: drop ovflist branch prediction Sasha Levin
2019-01-28 16:26 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190128162623.59854-61-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=woodard@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox