From: Greg Kroah-Hartman Date: Fri, 15 Feb 2019 08:14:05 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.135~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4328b88029b7727090f318e5c80738b9f5f8b3e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch --- diff --git a/queue-3.18/revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch b/queue-3.18/revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch new file mode 100644 index 00000000000..ada479ca723 --- /dev/null +++ b/queue-3.18/revert-exec-load_script-don-t-blindly-truncate-shebang-string.patch @@ -0,0 +1,45 @@ +From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 14 Feb 2019 15:02:18 -0800 +Subject: Revert "exec: load_script: don't blindly truncate shebang string" + +From: Linus Torvalds + +commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream. + +This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343. + +It turns out that people do actually depend on the shebang string being +truncated, and on the fact that an interpreter (like perl) will often +just re-interpret it entirely to get the full argument list. + +Reported-by: Samuel Dionne-Riel +Acked-by: Kees Cook +Cc: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_script.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -33,14 +33,10 @@ static int load_script(struct linux_binp + fput(bprm->file); + bprm->file = NULL; + +- for (cp = bprm->buf+2;; cp++) { +- if (cp >= bprm->buf + BINPRM_BUF_SIZE) +- return -ENOEXEC; +- if (!*cp || (*cp == '\n')) +- break; +- } ++ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; ++ if ((cp = strchr(bprm->buf, '\n')) == NULL) ++ cp = bprm->buf+BINPRM_BUF_SIZE-1; + *cp = '\0'; +- + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t'))