2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
|
* linux/fs/binfmt_script.c
|
|
|
|
|
*
|
2007-10-19 23:21:04 +02:00
|
|
|
* Copyright (C) 1996 Martin von Löwis
|
2005-04-16 15:20:36 -07:00
|
|
|
* original #!-checking implemented by tytso.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/stat.h>
|
|
|
|
|
#include <linux/binfmts.h>
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/file.h>
|
|
|
|
|
#include <linux/err.h>
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
|
|
2012-10-20 22:00:48 -04:00
|
|
|
static int load_script(struct linux_binprm *bprm)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2010-08-17 23:52:56 +01:00
|
|
|
const char *i_arg, *i_name;
|
|
|
|
|
char *cp;
|
2005-04-16 15:20:36 -07:00
|
|
|
struct file *file;
|
|
|
|
|
char interp[BINPRM_BUF_SIZE];
|
|
|
|
|
int retval;
|
|
|
|
|
|
2012-12-17 16:03:20 -08:00
|
|
|
if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
|
2005-04-16 15:20:36 -07:00
|
|
|
return -ENOEXEC;
|
|
|
|
|
/*
|
|
|
|
|
* This section does the #! interpretation.
|
|
|
|
|
* Sorta complicated, but hopefully it will work. -TYT
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
allow_write_access(bprm->file);
|
|
|
|
|
fput(bprm->file);
|
|
|
|
|
bprm->file = NULL;
|
|
|
|
|
|
|
|
|
|
bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
|
|
|
|
|
if ((cp = strchr(bprm->buf, '\n')) == NULL)
|
|
|
|
|
cp = bprm->buf+BINPRM_BUF_SIZE-1;
|
|
|
|
|
*cp = '\0';
|
|
|
|
|
while (cp > bprm->buf) {
|
|
|
|
|
cp--;
|
|
|
|
|
if ((*cp == ' ') || (*cp == '\t'))
|
|
|
|
|
*cp = '\0';
|
|
|
|
|
else
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
|
|
|
|
|
if (*cp == '\0')
|
|
|
|
|
return -ENOEXEC; /* No interpreter name found */
|
|
|
|
|
i_name = cp;
|
|
|
|
|
i_arg = NULL;
|
|
|
|
|
for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++)
|
|
|
|
|
/* nothing */ ;
|
|
|
|
|
while ((*cp == ' ') || (*cp == '\t'))
|
|
|
|
|
*cp++ = '\0';
|
|
|
|
|
if (*cp)
|
|
|
|
|
i_arg = cp;
|
|
|
|
|
strcpy (interp, i_name);
|
|
|
|
|
/*
|
|
|
|
|
* OK, we've parsed out the interpreter name and
|
|
|
|
|
* (optional) argument.
|
|
|
|
|
* Splice in (1) the interpreter's name for argv[0]
|
|
|
|
|
* (2) (optional) argument to interpreter
|
|
|
|
|
* (3) filename of shell script (replace argv[0])
|
|
|
|
|
*
|
|
|
|
|
* This is done in reverse order, because of how the
|
|
|
|
|
* user environment and arguments are stored.
|
|
|
|
|
*/
|
2007-07-19 01:48:16 -07:00
|
|
|
retval = remove_arg_zero(bprm);
|
|
|
|
|
if (retval)
|
|
|
|
|
return retval;
|
2005-04-16 15:20:36 -07:00
|
|
|
retval = copy_strings_kernel(1, &bprm->interp, bprm);
|
|
|
|
|
if (retval < 0) return retval;
|
|
|
|
|
bprm->argc++;
|
|
|
|
|
if (i_arg) {
|
|
|
|
|
retval = copy_strings_kernel(1, &i_arg, bprm);
|
|
|
|
|
if (retval < 0) return retval;
|
|
|
|
|
bprm->argc++;
|
|
|
|
|
}
|
|
|
|
|
retval = copy_strings_kernel(1, &i_name, bprm);
|
|
|
|
|
if (retval) return retval;
|
|
|
|
|
bprm->argc++;
|
exec: do not leave bprm->interp on stack
If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.
Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm->buf, execution will restart after attempting to load matching
binfmt modules. Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted. They leave bprm->interp
pointing to their local stack. This means on restart bprm->interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.
After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules. As
such, we need to protect the changes to interp.
This changes the logic to require allocation for any changes to the
bprm->interp. To avoid adding a new kmalloc to every exec, the default
value is left as-is. Only when passing through binfmt_script or
binfmt_misc does an allocation take place.
For a proof of concept, see DoTest.sh from:
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: halfdog <me@halfdog.net>
Cc: P J P <ppandit@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-12-20 15:05:16 -08:00
|
|
|
retval = bprm_change_interp(interp, bprm);
|
|
|
|
|
if (retval < 0)
|
|
|
|
|
return retval;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* OK, now restart the process with the interpreter's dentry.
|
|
|
|
|
*/
|
|
|
|
|
file = open_exec(interp);
|
|
|
|
|
if (IS_ERR(file))
|
|
|
|
|
return PTR_ERR(file);
|
|
|
|
|
|
|
|
|
|
bprm->file = file;
|
|
|
|
|
retval = prepare_binprm(bprm);
|
|
|
|
|
if (retval < 0)
|
|
|
|
|
return retval;
|
2012-10-20 21:53:31 -04:00
|
|
|
return search_binary_handler(bprm);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct linux_binfmt script_format = {
|
|
|
|
|
.module = THIS_MODULE,
|
|
|
|
|
.load_binary = load_script,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int __init init_script_binfmt(void)
|
|
|
|
|
{
|
2012-03-17 03:05:16 -04:00
|
|
|
register_binfmt(&script_format);
|
|
|
|
|
return 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit exit_script_binfmt(void)
|
|
|
|
|
{
|
|
|
|
|
unregister_binfmt(&script_format);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
core_initcall(init_script_binfmt);
|
|
|
|
|
module_exit(exit_script_binfmt);
|
|
|
|
|
MODULE_LICENSE("GPL");
|