| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210615162346.16032-1-avagin@gmail.com>
Date: Tue, 15 Jun 2021 09:23:46 -0700
From: Andrei Vagin <avagin@...il.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: linux-kernel@...r.kernel.org, Kees Cook <keescook@...omium.org>,
linux-fsdevel@...r.kernel.org, Andrei Vagin <avagin@...il.com>
Subject: [PATCH] exec/binfmt_script: trip zero bytes from the buffer
Without this fix, if we try to run a script that contains only the
interpreter line, the interpreter is executed with one extra empty
argument.
The code is written so that i_end has to be set to the end of valuable
data in the buffer.
Fixes: ccbb18b67323 ("exec/binfmt_script: Don't modify bprm->buf and then return -ENOEXEC")
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
Signed-off-by: Andrei Vagin <avagin@...il.com>
---
fs/binfmt_script.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
index 1b6625e95958..e242680f96e1 100644
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -68,6 +68,9 @@ static int load_script(struct linux_binprm *bprm)
if (!next_terminator(i_end, buf_end))
return -ENOEXEC;
i_end = buf_end;
+ /* Trim zero bytes from i_end */
+ while (i_end[-1] == 0)
+ i_end--;
}
/* Trim any trailing spaces/tabs from i_end */
while (spacetab(i_end[-1]))
--
2.31.1
Powered by blists - more mailing lists