Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5181238imu;
        Tue, 13 Nov 2018 02:28:49 -0800 (PST)
X-Google-Smtp-Source: AJdET5efbSsGsBuaeck3bMseiZXw4577AoCj4pHzZrr+kQXdk2zyycPBMnLCt8UsKJEyaLTv3qe3
X-Received: by 2002:a17:902:29e3:: with SMTP id h90-v6mr4616829plb.158.1542104929304;
        Tue, 13 Nov 2018 02:28:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542104929; cv=none;
        d=google.com; s=arc-20160816;
        b=eMiRSfnsAqrEUZh9w87jzV1m6i4u0Pm2b6c+ibUeYacYX41GHewL/cv0JbHN9ZsLDD
         /FO3RKU9dEwv9YxAJwwdAPbrGL6Dy6XlsnfI/JR3DLc61Oa89aiZrhzOaG6j2LL5ynps
         lDJ+shsTu/AS4kVkMyRbu/dlL7b06qx/q6ffOeF65MExDwbg7cMSKBde9+xGWHnDiNL/
         yN+m9NNNSSQYAA9J1YKgnNypynO8qXerEOH28NP98RYNvQBxWhm48t0JS70kpGPDdKhm
         Ry8pHTaCmxTPdaIukyVIc5BOlSNO/T3INXtGyPZmkkO53Qto6QPjSUnNPFCyk4Fsr5QO
         +N8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=PIhJOD8iG4oIeRMyUrp6INOtWWPkUaRS6qmxZ9Zm2R8=;
        b=sAhmk/NAwzS43mE1dpV8AcYfyvTvDecARfl+46f1iu/cGJ9mpKQ2g6+JD90PcTSgEi
         GRlaBh8p+vOTNgm4yTpDWnd2c7+UaOFAzeGq1zEk8V6M/0s0slTfqN82CY2PttGmHmw2
         xD9a429TGw8ZbFaLCxcVKTWymlWzuHtb6MYXjblzwM8s7hiQp7bq5ms7uCmrZJDIoWTc
         7d/th5dai9zYry8ms9t2jGT2X3xqksy4mcnzMoVwXVz5Rz5qs36bggPKXkGlIJJjrnCB
         0IEVc7qF1oqRamsvLe3p+VKv6flfGVMsGn2r5G/3zreeecj3EhtWsUnLXmvoNK/VfV4l
         uHMg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c41-v6si20840127plj.194.2018.11.13.02.28.33;
        Tue, 13 Nov 2018 02:28:49 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732216AbeKMUZM (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Tue, 13 Nov 2018 15:25:12 -0500
Received: from mx2.suse.de ([195.135.220.15]:58296 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1731276AbeKMUZM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Nov 2018 15:25:12 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id 8A107B6D0;
        Tue, 13 Nov 2018 10:27:43 +0000 (UTC)
Date:   Tue, 13 Nov 2018 11:27:41 +0100
From:   Michal Hocko <mhocko@kernel.org>
To:     Oleg Nesterov <oleg@redhat.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Ben Woodard <woodard@redhat.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] exec: load_script: don't blindly truncate shebang
 string
Message-ID: <20181113102741.GN15120@dhcp22.suse.cz>
References: <20181112160931.GA28463@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181112160931.GA28463@redhat.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon 12-11-18 17:09:31, Oleg Nesterov wrote:
> load_script() simply truncates bprm->buf and this is very wrong if the
> length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently
> truncate i_arg or (worse) we can execute the wrong binary if buf[2:126]
> happens to be the valid executable path.
> 
> Change load_script() to return ENOEXEC if it can't find '\n' or zero in
> bprm->buf. Note that '\0' can come from either prepare_binprm()->memset()
> or from kernel_read(), we do not care.
> 
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

A bit cryptic to my taste but it looks correct. I have tried to come up
with something more tasty but I am afraid it would be just a matter of
taste.

Acked-by: Michal Hocko <mhocko@suse.com>

> ---
>  fs/binfmt_script.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
> index 7cde3f4..d0078cb 100644
> --- a/fs/binfmt_script.c
> +++ b/fs/binfmt_script.c
> @@ -42,10 +42,14 @@ static int load_script(struct linux_binprm *bprm)
>  	fput(bprm->file);
>  	bprm->file = NULL;
>  
> -	bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
> -	if ((cp = strchr(bprm->buf, '\n')) == NULL)
> -		cp = bprm->buf+BINPRM_BUF_SIZE-1;
> +	for (cp = bprm->buf+2;; cp++) {
> +		if (cp >= bprm->buf + BINPRM_BUF_SIZE)
> +			return -ENOEXEC;
> +		if (!*cp || (*cp == '\n'))
> +			break;
> +	}
>  	*cp = '\0';
> +
>  	while (cp > bprm->buf) {
>  		cp--;
>  		if ((*cp == ' ') || (*cp == '\t'))
> -- 
> 2.5.0
> 
> 

-- 
Michal Hocko
SUSE Labs