Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4258494imu; Mon, 12 Nov 2018 08:11:57 -0800 (PST) X-Google-Smtp-Source: AJdET5dzea8Jh3oe1WsizvX3UrIoadkYRim0Fj9vXcCkq4oMMD9sGIvRpUxu47LkkGZftgFZeUEx X-Received: by 2002:a62:8145:: with SMTP id t66-v6mr1472366pfd.246.1542039117042; Mon, 12 Nov 2018 08:11:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542039117; cv=none; d=google.com; s=arc-20160816; b=yZlHoIB780RB4OBOmO3pceSL/GEnUVIC5WKdd/K5UEe5WQFAnI08tren9Y4ji1Dgw7 mxSMom2x7spuTFp4b2Hci19cishlDYfrP/iX57nu8KiZpHoX8EXP+T36Va+cTa0bHfg7 s6R3gUFVaaBXQO7Z9ekzBZUVu1tEa6jQ0nT28PLXryR6vECa9ZWT3x9CfmzILBRt3DB8 F2Q4p+P6QeKN6FzM4uUZKCqsxMyIV4dXKMCFu5a4oFr3UbgT40ocC8ibGw0Ya8l2JNNv NVWk4jkzGESmvA3Leykr93LV/8ZVHDX4zipDAk+aOBvtSSEttvUcTRcM59qlTcUYx35J m+fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date; bh=LqeD6MbY9cQC2DQOikMNPOqu06TrIUwF1VUtMnYLxCg=; b=ub3NQpWsk+cl2cZLbmxaS38ziS8xu/UdI3uQ38iWil02dH5ulCFGiiFyRflcdoAIfE l6LP0zYye8If0TrzWYPY0TnDtvvHVh4GlR5QcD1eSV9OVrzmfTvjuiUPvLXMQmW0oU/M aGECCSl8vNWQgDqfnmBrrIJBWuFdXHQOZAlcD8gx1W9VRFuVH1q7TiCBk7H9xxWK/YfS LebaV3B1ApBMtdpbNepuWBKFaw+CcUrLp+pvauCmTHTG1Tp49jtXJfoyDykSB1ZY2lhD 0KDm5M1yZnMTERFmwMNqoB1FROKMf7CBEoJjyXGzPjwZBg+NuOw2FRgXAAdfiJdJ06op RfBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si18823894pln.299.2018.11.12.08.11.28; Mon, 12 Nov 2018 08:11:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730039AbeKMCD0 (ORCPT + 99 others); Mon, 12 Nov 2018 21:03:26 -0500 Received: from mx1.redhat.com ([209.132.183.28]:51252 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726385AbeKMCD0 (ORCPT ); Mon, 12 Nov 2018 21:03:26 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4A0D381F0D; Mon, 12 Nov 2018 16:09:33 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.43.17.31]) by smtp.corp.redhat.com (Postfix) with SMTP id E81F419743; Mon, 12 Nov 2018 16:09:31 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Mon, 12 Nov 2018 17:09:33 +0100 (CET) Date: Mon, 12 Nov 2018 17:09:31 +0100 From: Oleg Nesterov To: Andrew Morton Cc: Ben Woodard , "Eric W. Biederman" , Kees Cook , Michal Hocko , linux-kernel@vger.kernel.org Subject: [PATCH 1/2] exec: load_script: don't blindly truncate shebang string Message-ID: <20181112160931.GA28463@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 12 Nov 2018 16:09:33 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org load_script() simply truncates bprm->buf and this is very wrong if the length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently truncate i_arg or (worse) we can execute the wrong binary if buf[2:126] happens to be the valid executable path. Change load_script() to return ENOEXEC if it can't find '\n' or zero in bprm->buf. Note that '\0' can come from either prepare_binprm()->memset() or from kernel_read(), we do not care. Signed-off-by: Oleg Nesterov --- fs/binfmt_script.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c index 7cde3f4..d0078cb 100644 --- a/fs/binfmt_script.c +++ b/fs/binfmt_script.c @@ -42,10 +42,14 @@ static int load_script(struct linux_binprm *bprm) fput(bprm->file); bprm->file = NULL; - bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; - if ((cp = strchr(bprm->buf, '\n')) == NULL) - cp = bprm->buf+BINPRM_BUF_SIZE-1; + for (cp = bprm->buf+2;; cp++) { + if (cp >= bprm->buf + BINPRM_BUF_SIZE) + return -ENOEXEC; + if (!*cp || (*cp == '\n')) + break; + } *cp = '\0'; + while (cp > bprm->buf) { cp--; if ((*cp == ' ') || (*cp == '\t')) -- 2.5.0