| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190214012754.GA17326@beast>
Date: Wed, 13 Feb 2019 17:27:54 -0800
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Samuel Dionne-Riel <samuel@...nne-riel.com>,
Richard Weinberger <richard.weinberger@...il.com>,
LKML <linux-kernel@...r.kernel.org>,
Graham Christensen <graham@...hamc.com>,
Oleg Nesterov <oleg@...hat.com>,
Michal Hocko <mhocko@...e.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH] exec: load_script: Allow interpreter argument truncation
While we want to make sure the kernel doesn't attempt to execute a
truncated interpreter path, we must allow the interpreter arguments to
be truncated. Perl, for example, will re-read the script itself to parse
arguments correctly.
This documents the parsing steps, and will fail to exec if the string was
truncated with neither an end-of-line nor any trailing whitespace.
Reported-by: Samuel Dionne-Riel <samuel@...nne-riel.com>
Fixes: 8099b047ecc4 ("exec: load_script: don't blindly truncate shebang string")
Signed-off-by: Kees Cook <keescook@...omium.org>
---
fs/binfmt_script.c | 37 +++++++++++++++++++++++++++++++------
1 file changed, 31 insertions(+), 6 deletions(-)
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index d0078cbb718b..3db23528bb85 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -20,6 +20,7 @@ static int load_script(struct linux_binprm *bprm)
char *cp;
struct file *file;
int retval;
+ bool truncated = false, end_of_interp = false;
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
return -ENOEXEC;
@@ -42,32 +43,56 @@ static int load_script(struct linux_binprm *bprm)
fput(bprm->file);
bprm->file = NULL;
+ /*
+ * Truncating interpreter arguments is okay: the interpreter
+ * can re-read the script to parse them on its own. Truncating
+ * the interpreter path itself, though, is bad. Note truncation
+ * here, and check for either newline or start of arguments
+ * below.
+ */
for (cp = bprm->buf+2;; cp++) {
- if (cp >= bprm->buf + BINPRM_BUF_SIZE)
- return -ENOEXEC;
- if (!*cp || (*cp == '\n'))
+ if (cp == bprm->buf + BINPRM_BUF_SIZE - 1) {
+ truncated = true;
break;
+ }
+ if (!*cp || (*cp == '\n')) {
+ end_of_interp = true;
+ break;
+ }
}
*cp = '\0';
+ /* Truncate trailing whitespace */
while (cp > bprm->buf) {
cp--;
- if ((*cp == ' ') || (*cp == '\t'))
+ if ((*cp == ' ') || (*cp == '\t')) {
+ end_of_interp = true;
*cp = '\0';
- else
+ } else
break;
}
+ /* Skip leading whitespace */
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
if (*cp == '\0')
return -ENOEXEC; /* No interpreter name found */
i_name = cp;
i_arg = NULL;
+ /*
+ * Skip until end of string or finding whitespace which
+ * signals the start of interpreter arguments.
+ */
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++)
/* nothing */ ;
- while ((*cp == ' ') || (*cp == '\t'))
+ /* Truncate and skip any whitespace in front of arguments */
+ while ((*cp == ' ') || (*cp == '\t')) {
+ end_of_interp = true;
*cp++ = '\0';
+ }
if (*cp)
i_arg = cp;
+ /* Fail exec if the name of the interpreter was cut off. */
+ if (truncated && !end_of_interp)
+ return -ENOEXEC;
/*
* OK, we've parsed out the interpreter name and
* (optional) argument.
--
2.17.1
--
Kees Cook
Powered by blists - more mailing lists