Edmund Wu 2019-02-14 18:16:17 -05:00 committed by Tim Steinbach
parent 13d1ba3439
commit f0b8a113dd
3 changed files with 56 additions and 0 deletions

View file

@ -0,0 +1,44 @@
From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 14 Feb 2019 15:02:18 -0800
Subject: Revert "exec: load_script: don't blindly truncate shebang string"
This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343.
It turns out that people do actually depend on the shebang string being
truncated, and on the fact that an interpreter (like perl) will often
just re-interpret it entirely to get the full argument list.
Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
fs/binfmt_script.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index d0078cbb718b..7cde3f46ad26 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -42,14 +42,10 @@ static int load_script(struct linux_binprm *bprm)
fput(bprm->file);
bprm->file = NULL;
- for (cp = bprm->buf+2;; cp++) {
- if (cp >= bprm->buf + BINPRM_BUF_SIZE)
- return -ENOEXEC;
- if (!*cp || (*cp == '\n'))
- break;
- }
+ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
+ if ((cp = strchr(bprm->buf, '\n')) == NULL)
+ cp = bprm->buf+BINPRM_BUF_SIZE-1;
*cp = '\0';
-
while (cp > bprm->buf) {
cp--;
if ((*cp == ' ') || (*cp == '\t'))
--
cgit 1.2-0.3.lf.el7

View file

@ -57,4 +57,11 @@ rec {
sha256 = "1l8xq02rd7vakxg52xm9g4zng0ald866rpgm8kjlh88mwwyjkrwv";
};
};
# https://github.com/NixOS/nixpkgs/issues/53672
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb5b020a8d38f77209d0472a0fea755299a8ec78
interpreter-trunc = {
name = "interpreter-trunc";
patch = ./interpreter-trunc.patch;
};
}

View file

@ -14576,6 +14576,7 @@ in
# when adding a new linux version
kernelPatches.cpu-cgroup-v2."4.11"
kernelPatches.modinst_arg_list_too_long
kernelPatches.interpreter-trunc
];
};
@ -14583,6 +14584,7 @@ in
kernelPatches =
[ kernelPatches.bridge_stp_helper
kernelPatches.modinst_arg_list_too_long
kernelPatches.interpreter-trunc
];
};
@ -14590,6 +14592,7 @@ in
kernelPatches =
[ kernelPatches.bridge_stp_helper
kernelPatches.modinst_arg_list_too_long
kernelPatches.interpreter-trunc
];
};
@ -14597,6 +14600,7 @@ in
kernelPatches = [
kernelPatches.bridge_stp_helper
kernelPatches.modinst_arg_list_too_long
kernelPatches.interpreter-trunc
];
};
@ -14611,6 +14615,7 @@ in
kernelPatches = [
kernelPatches.bridge_stp_helper
kernelPatches.modinst_arg_list_too_long
kernelPatches.interpreter-trunc
];
};