From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F259BC169C4 for ; Mon, 11 Feb 2019 15:13:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C219D222A7 for ; Mon, 11 Feb 2019 15:13:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549898024; bh=xVhZ65/QE2Z0PC5Ks8b7RL6jyZpecjxTDNUnNcVP114=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=u08/3xYL8kx9YCXsvz3hCYhXTwQRhjs6Fs2iqhaMHtEuyiA42kutKsruruZu7f4xx J8kxB2Vsj70TkZAcLIZYnZEVga0iFX0cdwlHiclCvrd6CPeEJHPNThbG+XXcGkRc7i tbBKNkrcM2689HY+46Jtzo0E4JW75KAkb/gxtd1E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391250AbfBKPJO (ORCPT ); Mon, 11 Feb 2019 10:09:14 -0500 Received: from mail.kernel.org ([198.145.29.99]:59078 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391606AbfBKPJN (ORCPT ); Mon, 11 Feb 2019 10:09:13 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C0031222B5; Mon, 11 Feb 2019 15:09:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549897752; bh=xVhZ65/QE2Z0PC5Ks8b7RL6jyZpecjxTDNUnNcVP114=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YFgEfNLB4WmlX6x9nz7ghQ+4dYiJEEL9O45vcH01Fnee5fQxa0mLrJi7h1Flx30ku 4sFQfyCk1px28aV4Zmpiw2jER+L5BH/SaNG0WMdnqFJV0RlHqApRfAd4jgWpHXxzBg 6J+2RtQFwgxKJBcen2AiyPuMoOv3pFhxBZx4/0l8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oleg Nesterov , Kees Cook , Michal Hocko , Ben Woodard , "Eric W. Biederman" , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 4.9 103/137] exec: load_script: dont blindly truncate shebang string Date: Mon, 11 Feb 2019 15:19:44 +0100 Message-Id: <20190211141821.615389919@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190211141811.964925535@linuxfoundation.org> References: <20190211141811.964925535@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ] load_script() simply truncates bprm->buf and this is very wrong if the length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently truncate i_arg or (worse) we can execute the wrong binary if buf[2:126] happens to be the valid executable path. Change load_script() to return ENOEXEC if it can't find '\n' or zero in bprm->buf. Note that '\0' can come from either prepare_binprm()->memset() or from kernel_read(), we do not care. Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com Signed-off-by: Oleg Nesterov Acked-by: Kees Cook Acked-by: Michal Hocko Cc: Ben Woodard Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- fs/binfmt_script.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c index afdf4e3cafc2..634bdbb23851 100644 --- a/fs/binfmt_script.c +++ b/fs/binfmt_script.c @@ -43,10 +43,14 @@ static int load_script(struct linux_binprm *bprm) fput(bprm->file); bprm->file = NULL; - bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; - if ((cp = strchr(bprm->buf, '\n')) == NULL) - cp = bprm->buf+BINPRM_BUF_SIZE-1; + for (cp = bprm->buf+2;; cp++) { + if (cp >= bprm->buf + BINPRM_BUF_SIZE) + return -ENOEXEC; + if (!*cp || (*cp == '\n')) + break; + } *cp = '\0'; + while (cp > bprm->buf) { cp--; if ((*cp == ' ') || (*cp == '\t')) -- 2.19.1