From: Greg Kroah-Hartman Date: Fri, 15 Feb 2019 07:17:17 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.158~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bead8aa4fa15a247f1ab90ad4b7760764b362c23;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch --- diff --git a/queue-3.18/series b/queue-3.18/series index fb05674c8db..9d6fad448fb 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -88,3 +88,4 @@ xfrm-refine-validation-of-template-and-selector-families.patch batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch batman-adv-force-mac-header-to-start-of-data-on-xmit.patch usb-host-ehci-msm-fix-handling-platform_get_irq-result.patch +revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..edfd92ae33a --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1 @@ +revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..edfd92ae33a --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1 @@ +revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch diff --git a/queue-4.20/series b/queue-4.20/series new file mode 100644 index 00000000000..edfd92ae33a --- /dev/null +++ b/queue-4.20/series @@ -0,0 +1 @@ +revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch diff --git a/queue-4.4/series b/queue-4.4/series index 111a68153e8..b3bddb8687d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -115,3 +115,4 @@ libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch xfrm-refine-validation-of-template-and-selector-families.patch batman-adv-avoid-warn-on-net_device-without-parent-in-netns.patch batman-adv-force-mac-header-to-start-of-data-on-xmit.patch +revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch diff --git a/queue-4.9/revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch b/queue-4.9/revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch new file mode 100644 index 00000000000..ab56e7eb52d --- /dev/null +++ b/queue-4.9/revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch @@ -0,0 +1,45 @@ +From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 14 Feb 2019 15:02:18 -0800 +Subject: Revert "exec: load_script: don't blindly truncate shebang string" + +From: Linus Torvalds + +commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream. + +This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343. + +It turns out that people do actually depend on the shebang string being +truncated, and on the fact that an interpreter (like perl) will often +just re-interpret it entirely to get the full argument list. + +Reported-by: Samuel Dionne-Riel +Acked-by: Kees Cook +Cc: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_script.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -43,14 +43,10 @@ static int load_script(struct linux_binp + fput(bprm->file); + bprm->file = NULL; + +- for (cp = bprm->buf+2;; cp++) { +- if (cp >= bprm->buf + BINPRM_BUF_SIZE) +- return -ENOEXEC; +- if (!*cp || (*cp == '\n')) +- break; +- } ++ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; ++ if ((cp = strchr(bprm->buf, '\n')) == NULL) ++ cp = bprm->buf+BINPRM_BUF_SIZE-1; + *cp = '\0'; +- + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t')) diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..edfd92ae33a --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1 @@ +revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch