Revert "exec: load_script: don't blindly truncate shebang string"

commit cb5b020a upstream. This reverts commit 8099b047. It turns out that people do actually depend on the shebang string being truncated, and on the fact that an interpreter (like perl) will often just re-interpret it entirely to get the full argument list. Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com> Acked-by: Kees Cook <keescook@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Revert "exec: load_script: don't blindly truncate shebang string"
commit cb5b020a upstream. This reverts commit 8099b047. It turns out that people do actually depend on the shebang string being truncated, and on the fact that an interpreter (like perl) will often just re-interpret it entirely to get the full argument list. Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com> Acked-by: Kees Cook <keescook@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
c2109f05 · Linus Torvalds · Greg Kroah-Hartman · 6f8c14ee · c2109f05
Commit c2109f05 authored Feb 14, 2019 by Linus Torvalds Committed by Greg Kroah-Hartman Feb 15, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 7 deletions

fs/binfmt_script.c fs/binfmt_script.c +3 -7

No files found.
--- a/fs/binfmt_script.c
+++ b/fs/binfmt_script.c
@@ -42,14 +42,10 @@ static int load_script(struct linux_binprm *bprm)
 	fput(bprm->file);
 	bprm->file = NULL;
-	for (cp = bprm->buf+2;; cp++) {
+	bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
-		if (cp >= bprm->buf + BINPRM_BUF_SIZE)
+	if ((cp = strchr(bprm->buf, '\n')) == NULL)
-			return -ENOEXEC;
+		cp = bprm->buf+BINPRM_BUF_SIZE-1;
-		if (!*cp || (*cp == '\n'))
-			break;
-	}
 	*cp = '\0';
 	while (cp > bprm->buf) {
 		cp--;
 		if ((*cp == ' ') || (*cp == '\t'))