Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path

From: Kees Cook
Date: Fri Feb 15 2019 - 12:01:44 EST

Next message: Luis Chamberlain: "Re: [PATCH v3] x86/ima: require signed kernel modules"
Previous message: syzbot: "WARNING: locking bug in flush_workqueue_prep_pwqs"
In reply to: Linus Torvalds: "Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path"
Next in thread: Linus Torvalds: "Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 15, 2019 at 8:39 AM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Fri, Feb 15, 2019 at 8:18 AM Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
> >
> > Not sure. Consider a script file which has a single line
> >
> > #!/path/to/interpreter
> >
> > WITHOUT '\n' at the end.
>
> Heh. I'm not sure how valid that is, but it's an interesting case for sure.
>
> But it's actually fairly easy to fix with the franken-approach I did
> that combines mine and Kees' patches.
>
> Does this work?

+static inline bool no_tab_or_space(const char *first, const char *last)
+{
+ // Skip leading space
+ for (;tabspc(*first) ; first++)
+ if (!*first || first == last)
+ return false; // only space

The !*first will never hit here (since it's been checked to be either
' ' or '\t', and if first == last it's whitespace all the way, so we
could just return true here to bail out early (there's no interpreter
at all, so we want to -ENOEXEC still).

I'll get a version written and tested...

-Kees

--
Kees Cook

Next message: Luis Chamberlain: "Re: [PATCH v3] x86/ima: require signed kernel modules"
Previous message: syzbot: "WARNING: locking bug in flush_workqueue_prep_pwqs"
In reply to: Linus Torvalds: "Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path"
Next in thread: Linus Torvalds: "Re: [PATCH v3] exec: load_script: Do not exec truncated interpreter path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]