[thirdparty/kernel/stable-queue.git] / releases / 4.19.23 / revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch

From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 14 Feb 2019 15:02:18 -0800
Subject: Revert "exec: load_script: don't blindly truncate shebang string"

From: Linus Torvalds <torvalds@linux-foundation.org>

commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream.

This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343.

It turns out that people do actually depend on the shebang string being
truncated, and on the fact that an interpreter (like perl) will often
just re-interpret it entirely to get the full argument list.

Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/binfmt_script.c |   10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -42,14 +42,10 @@ static int load_script(struct linux_binp
 	fput(bprm->file);
 	bprm->file = NULL;
 
-	for (cp = bprm->buf+2;; cp++) {
-		if (cp >= bprm->buf + BINPRM_BUF_SIZE)
-			return -ENOEXEC;
-		if (!*cp || (*cp == '\n'))
-			break;
-	}
+	bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
+	if ((cp = strchr(bprm->buf, '\n')) == NULL)
+		cp = bprm->buf+BINPRM_BUF_SIZE-1;
 	*cp = '\0';
-
 	while (cp > bprm->buf) {
 		cp--;
 		if ((*cp == ' ') || (*cp == '\t'))
Commit	Line	Data
348a284a GKH	1	From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001
	2	From: Linus Torvalds <torvalds@linux-foundation.org>
	3	Date: Thu, 14 Feb 2019 15:02:18 -0800
	4	Subject: Revert "exec: load_script: don't blindly truncate shebang string"
	5
	6	From: Linus Torvalds <torvalds@linux-foundation.org>
	7
	8	commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream.
	9
	10	This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343.
	11
	12	It turns out that people do actually depend on the shebang string being
	13	truncated, and on the fact that an interpreter (like perl) will often
	14	just re-interpret it entirely to get the full argument list.
	15
	16	Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
	17	Acked-by: Kees Cook <keescook@chromium.org>
	18	Cc: Oleg Nesterov <oleg@redhat.com>
	19	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	fs/binfmt_script.c \| 10 +++-------
	24	1 file changed, 3 insertions(+), 7 deletions(-)
	25
	26	--- a/fs/binfmt_script.c
	27	+++ b/fs/binfmt_script.c
	28	@@ -42,14 +42,10 @@ static int load_script(struct linux_binp
	29	fput(bprm->file);
	30	bprm->file = NULL;
	31
	32	- for (cp = bprm->buf+2;; cp++) {
	33	- if (cp >= bprm->buf + BINPRM_BUF_SIZE)
	34	- return -ENOEXEC;
	35	- if (!cp \|\| (cp == '\n'))
	36	- break;
	37	- }
	38	+ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
	39	+ if ((cp = strchr(bprm->buf, '\n')) == NULL)
	40	+ cp = bprm->buf+BINPRM_BUF_SIZE-1;
	41	*cp = '\0';
	42	-
	43	while (cp > bprm->buf) {
	44	cp--;
	45	if ((cp == ' ') \|\| (cp == '\t'))