From: Adam Borowski <kilobyte@angband.pl>
To: dash@vger.kernel.org
Cc: Adam Borowski <kilobyte@angband.pl>
Subject: [PATCH] Don't execute binary files if execve() returned ENOEXEC.
Date: Tue, 7 Feb 2017 09:33:07 +0100 [thread overview]
Message-ID: <20170207083307.14881-1-kilobyte@angband.pl> (raw)
Both "dash -c foo" and "./foo" are supposed to be able to run hashbang-less
scripts, but attempts to execute common binary files tend to be nasty:
especially both ELF and PE tend to make dash create a bunch of files with
unprintable names, that in turn confuse some tools up to causing data loss.
Thus, let's read the first line and see if it looks like text. This is a
variant of the approach used by bash and zsh; mksh instead checks for
signatures of a bunch of common file types.
POSIX says: "If the executable file is not a text file, the shell may bypass
this command execution.".
Signed-off-by: Adam Borowski <kilobyte@angband.pl>
---
This has been applied in Debian. While technically it's only a "may" issue
in dash itself, and is triggered by user error (trying to exec files you
shouldn't exec), the fallout is nasty enough that the bug was classified as
serious.
The usual failure mode is to create files with names such as:
(per submitter, a PE):
90 d4 f6
(an ELF):
01 b0 40 40 08 01 40 38 02 40 04 03 01 05 40 40 ed ed
01 b0 40 40 f8 40 38 02 40 04 03 01 05 40 40 da da
diff --git a/src/exec.c b/src/exec.c
index ec0eadd..19ae752 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -148,6 +148,36 @@ shellexec(char **argv, const char *path, int idx)
}
+/*
+ * Check if an executable that just failed with ENOEXEC shouldn't be
+ * considered a script (wrong-arch ELF/PE, junk accidentally set +x, etc).
+ * We check only the first line to allow binaries encapsulated in a shell
+ * script without proper quoting. The first line, if not a hashbang, is
+ * likely to contain comments; even ancient encodings, at least popular
+ * ones, don't use 0x7f nor values below 0x1f other than whitespace (\t,
+ * \n, \v, \f, \r), ISO/IEC 2022 can have SI, SO and \e.
+ */
+STATIC int file_is_binary(const char *cmd)
+{
+ char buf[128];
+ int fd = open(cmd, O_RDONLY|O_NOCTTY);
+ if (fd == -1)
+ return 1;
+ int len = read(fd, buf, sizeof(buf));
+ close(fd);
+ for (int i = 0; i < len; ++i) {
+ char c = buf[i];
+ if (c >= 0 && c <= 8 ||
+ c >= 16 && c <= 31 && c != 27 ||
+ c == 0x7f)
+ return 1;
+ if (c == '\n')
+ return 0;
+ }
+ return 0;
+}
+
+
STATIC void
tryexec(char *cmd, char **argv, char **envp)
{
@@ -162,6 +192,8 @@ repeat:
execve(cmd, argv, envp);
#endif
if (cmd != path_bshell && errno == ENOEXEC) {
+ if (file_is_binary(cmd))
+ return;
*argv-- = cmd;
*argv = cmd = path_bshell;
goto repeat;
--
2.11.0
next reply other threads:[~2017-02-07 8:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-07 8:33 Adam Borowski [this message]
2017-02-07 22:52 ` [PATCH] Don't execute binary files if execve() returned ENOEXEC Jilles Tjoelker
2017-02-08 8:02 ` Adam Borowski
2017-02-08 22:11 ` Jilles Tjoelker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170207083307.14881-1-kilobyte@angband.pl \
--to=kilobyte@angband.pl \
--cc=dash@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).