From f0b8a113dd04f1b973beb1d6a1675978aa2b2cc7 Mon Sep 17 00:00:00 2001 From: Edmund Wu Date: Thu, 14 Feb 2019 18:16:17 -0500 Subject: [PATCH] linux: allow for interpreter to be truncated via https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb5b020a8d38f77209d0472a0fea755299a8ec78 see https://github.com/NixOS/nixpkgs/issues/53672 --- .../linux/kernel/interpreter-trunc.patch | 44 +++++++++++++++++++ pkgs/os-specific/linux/kernel/patches.nix | 7 +++ pkgs/top-level/all-packages.nix | 5 +++ 3 files changed, 56 insertions(+) create mode 100644 pkgs/os-specific/linux/kernel/interpreter-trunc.patch diff --git a/pkgs/os-specific/linux/kernel/interpreter-trunc.patch b/pkgs/os-specific/linux/kernel/interpreter-trunc.patch new file mode 100644 index 00000000000..a0eceec2258 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/interpreter-trunc.patch @@ -0,0 +1,44 @@ +From cb5b020a8d38f77209d0472a0fea755299a8ec78 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 14 Feb 2019 15:02:18 -0800 +Subject: Revert "exec: load_script: don't blindly truncate shebang string" + +This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343. + +It turns out that people do actually depend on the shebang string being +truncated, and on the fact that an interpreter (like perl) will often +just re-interpret it entirely to get the full argument list. + +Reported-by: Samuel Dionne-Riel +Acked-by: Kees Cook +Cc: Oleg Nesterov +Signed-off-by: Linus Torvalds +--- + fs/binfmt_script.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index d0078cbb718b..7cde3f46ad26 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -42,14 +42,10 @@ static int load_script(struct linux_binprm *bprm) + fput(bprm->file); + bprm->file = NULL; + +- for (cp = bprm->buf+2;; cp++) { +- if (cp >= bprm->buf + BINPRM_BUF_SIZE) +- return -ENOEXEC; +- if (!*cp || (*cp == '\n')) +- break; +- } ++ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; ++ if ((cp = strchr(bprm->buf, '\n')) == NULL) ++ cp = bprm->buf+BINPRM_BUF_SIZE-1; + *cp = '\0'; +- + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t')) +-- +cgit 1.2-0.3.lf.el7 + diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 4c338b37dec..18fd311ca06 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -57,4 +57,11 @@ rec { sha256 = "1l8xq02rd7vakxg52xm9g4zng0ald866rpgm8kjlh88mwwyjkrwv"; }; }; + + # https://github.com/NixOS/nixpkgs/issues/53672 + # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb5b020a8d38f77209d0472a0fea755299a8ec78 + interpreter-trunc = { + name = "interpreter-trunc"; + patch = ./interpreter-trunc.patch; + }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 5c5c9ec8e91..2791b1f93a9 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14576,6 +14576,7 @@ in # when adding a new linux version kernelPatches.cpu-cgroup-v2."4.11" kernelPatches.modinst_arg_list_too_long + kernelPatches.interpreter-trunc ]; }; @@ -14583,6 +14584,7 @@ in kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.modinst_arg_list_too_long + kernelPatches.interpreter-trunc ]; }; @@ -14590,6 +14592,7 @@ in kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.modinst_arg_list_too_long + kernelPatches.interpreter-trunc ]; }; @@ -14597,6 +14600,7 @@ in kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.modinst_arg_list_too_long + kernelPatches.interpreter-trunc ]; }; @@ -14611,6 +14615,7 @@ in kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.modinst_arg_list_too_long + kernelPatches.interpreter-trunc ]; };