]>
Commit | Line | Data |
---|---|---|
348a284a GKH |
1 | From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001 |
2 | From: Linus Torvalds <torvalds@linux-foundation.org> | |
3 | Date: Thu, 14 Feb 2019 15:02:18 -0800 | |
4 | Subject: Revert "exec: load_script: don't blindly truncate shebang string" | |
5 | ||
6 | From: Linus Torvalds <torvalds@linux-foundation.org> | |
7 | ||
8 | commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream. | |
9 | ||
10 | This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343. | |
11 | ||
12 | It turns out that people do actually depend on the shebang string being | |
13 | truncated, and on the fact that an interpreter (like perl) will often | |
14 | just re-interpret it entirely to get the full argument list. | |
15 | ||
16 | Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com> | |
17 | Acked-by: Kees Cook <keescook@chromium.org> | |
18 | Cc: Oleg Nesterov <oleg@redhat.com> | |
19 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
21 | ||
22 | --- | |
23 | fs/binfmt_script.c | 10 +++------- | |
24 | 1 file changed, 3 insertions(+), 7 deletions(-) | |
25 | ||
26 | --- a/fs/binfmt_script.c | |
27 | +++ b/fs/binfmt_script.c | |
28 | @@ -42,14 +42,10 @@ static int load_script(struct linux_binp | |
29 | fput(bprm->file); | |
30 | bprm->file = NULL; | |
31 | ||
32 | - for (cp = bprm->buf+2;; cp++) { | |
33 | - if (cp >= bprm->buf + BINPRM_BUF_SIZE) | |
34 | - return -ENOEXEC; | |
35 | - if (!*cp || (*cp == '\n')) | |
36 | - break; | |
37 | - } | |
38 | + bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; | |
39 | + if ((cp = strchr(bprm->buf, '\n')) == NULL) | |
40 | + cp = bprm->buf+BINPRM_BUF_SIZE-1; | |
41 | *cp = '\0'; | |
42 | - | |
43 | while (cp > bprm->buf) { | |
44 | cp--; | |
45 | if ((*cp == ' ') || (*cp == '\t')) |