Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path

From: Linus Torvalds <torvalds@linux-foundation.org>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Samuel Dionne-Riel <samuel@dionne-riel.com>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	Graham Christensen <graham@grahamc.com>,
	Michal Hocko <mhocko@suse.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path
Date: Fri, 15 Feb 2019 08:39:37 -0800	[thread overview]
Message-ID: <CAHk-=wjk29MeO9PuyirONZMr75-H6LtfNe6WghOXT7n+f5-RTA@mail.gmail.com> (raw)
In-Reply-To: <20190215161851.GA8804@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 423 bytes --]

On Fri, Feb 15, 2019 at 8:18 AM Oleg Nesterov <oleg@redhat.com> wrote:
>
> Not sure. Consider a script file which has a single line
>
>         #!/path/to/interpreter
>
> WITHOUT '\n' at the end.

Heh. I'm not sure how valid that is, but it's an interesting case for sure.

But it's actually fairly easy to fix with the franken-approach I did
that combines mine and Kees' patches.

Does this work?

                  Linus

[-- Attachment #2: patch.diff --]
[-- Type: text/x-patch, Size: 1563 bytes --]

 fs/binfmt_script.c | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index 7cde3f46ad26..41be15701383 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -14,6 +14,29 @@
 #include <linux/err.h>
 #include <linux/fs.h>
 
+/*
+ * Do we have a terminating character between 'first' and 'last'
+ * (inclusive). This is the "we are truncating the script command
+ * line" case, and we know first < last.
+ *
+ * We skip leading whitespace, and then verify there's a space/tab
+ * or NUL before the end.
+ */
+static inline bool tabspc(char c) { return c == ' ' || c == '\t'; }
+static inline bool no_tab_or_space(const char *first, const char *last)
+{
+	// Skip leading space
+	for (;tabspc(*first) ; first++)
+		if (!*first || first == last)
+			return false;	// only space
+	// Ok, 'first' points to first non-spc/tab/NUL
+	// Can we find another terminator after this?
+	while (++first <= last)
+		if (!*first || tabspc(*first))
+			return true;
+	return false;
+}
+
 static int load_script(struct linux_binprm *bprm)
 {
 	const char *i_arg, *i_name;
@@ -42,9 +65,12 @@ static int load_script(struct linux_binprm *bprm)
 	fput(bprm->file);
 	bprm->file = NULL;
 
-	bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
-	if ((cp = strchr(bprm->buf, '\n')) == NULL)
+	cp = strnchr(bprm->buf, BINPRM_BUF_SIZE, '\n');
+	if (!cp) {
 		cp = bprm->buf+BINPRM_BUF_SIZE-1;
+		if (no_tab_or_space(bprm->buf+2, cp))
+			return -ENOEXEC;
+	}
 	*cp = '\0';
 	while (cp > bprm->buf) {
 		cp--;
