diff options
Diffstat (limited to 'fs/binfmt_script.c')
| -rw-r--r-- | fs/binfmt_script.c | 57 | 
1 files changed, 46 insertions, 11 deletions
| diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c index d0078cbb718b..e996174cbfc0 100644 --- a/fs/binfmt_script.c +++ b/fs/binfmt_script.c @@ -14,13 +14,30 @@  #include <linux/err.h>  #include <linux/fs.h> +static inline bool spacetab(char c) { return c == ' ' || c == '\t'; } +static inline char *next_non_spacetab(char *first, const char *last) +{ +	for (; first <= last; first++) +		if (!spacetab(*first)) +			return first; +	return NULL; +} +static inline char *next_terminator(char *first, const char *last) +{ +	for (; first <= last; first++) +		if (spacetab(*first) || !*first) +			return first; +	return NULL; +} +  static int load_script(struct linux_binprm *bprm)  {  	const char *i_arg, *i_name; -	char *cp; +	char *cp, *buf_end;  	struct file *file;  	int retval; +	/* Not ours to exec if we don't start with "#!". */  	if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))  		return -ENOEXEC; @@ -33,23 +50,41 @@ static int load_script(struct linux_binprm *bprm)  	if (bprm->interp_flags & BINPRM_FLAGS_PATH_INACCESSIBLE)  		return -ENOENT; -	/* -	 * This section does the #! interpretation. -	 * Sorta complicated, but hopefully it will work.  -TYT -	 */ - +	/* Release since we are not mapping a binary into memory. */  	allow_write_access(bprm->file);  	fput(bprm->file);  	bprm->file = NULL; -	for (cp = bprm->buf+2;; cp++) { -		if (cp >= bprm->buf + BINPRM_BUF_SIZE) +	/* +	 * This section handles parsing the #! line into separate +	 * interpreter path and argument strings. We must be careful +	 * because bprm->buf is not yet guaranteed to be NUL-terminated +	 * (though the buffer will have trailing NUL padding when the +	 * file size was smaller than the buffer size). +	 * +	 * We do not want to exec a truncated interpreter path, so either +	 * we find a newline (which indicates nothing is truncated), or +	 * we find a space/tab/NUL after the interpreter path (which +	 * itself may be preceded by spaces/tabs). Truncating the +	 * arguments is fine: the interpreter can re-read the script to +	 * parse them on its own. +	 */ +	buf_end = bprm->buf + sizeof(bprm->buf) - 1; +	cp = strnchr(bprm->buf, sizeof(bprm->buf), '\n'); +	if (!cp) { +		cp = next_non_spacetab(bprm->buf + 2, buf_end); +		if (!cp) +			return -ENOEXEC; /* Entire buf is spaces/tabs */ +		/* +		 * If there is no later space/tab/NUL we must assume the +		 * interpreter path is truncated. +		 */ +		if (!next_terminator(cp, buf_end))  			return -ENOEXEC; -		if (!*cp || (*cp == '\n')) -			break; +		cp = buf_end;  	} +	/* NUL-terminate the buffer and any trailing spaces/tabs. */  	*cp = '\0'; -  	while (cp > bprm->buf) {  		cp--;  		if ((*cp == ' ') || (*cp == '\t')) | 
