exec: load_script: don't blindly truncate shebang string - linux.git - dakr's fork of kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

diff options

author	Oleg Nesterov <oleg@redhat.com>	2019-01-03 15:28:07 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-01-04 13:13:47 -0800
commit	8099b047ecc431518b9bb6bdbba3549bbecdc343 (patch)
tree	f0abafbb5f20984f92165e4da26fb37377dd497a /fs/exec.c
parent	fb5bf31722d0805a3f394f7d59f2e8cd07acccb7 (diff)

exec: load_script: don't blindly truncate shebang string

load_script() simply truncates bprm->buf and this is very wrong if the length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently truncate i_arg or (worse) we can execute the wrong binary if buf[2:126] happens to be the valid executable path. Change load_script() to return ENOEXEC if it can't find '\n' or zero in bprm->buf. Note that '\0' can come from either prepare_binprm()->memset() or from kernel_read(), we do not care. Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Michal Hocko <mhocko@suse.com> Cc: Ben Woodard <woodard@redhat.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'fs/exec.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: