On Fri, Feb 15, 2019 at 9:01 AM Kees Cook wrote:
>
> The !*first will never hit here (since it's been checked to be either
> ' ' or '\t', and if first == last it's whitespace all the way, so we
> could just return true here to bail out early (there's no interpreter
> at all, so we want to -ENOEXEC
On 02/15, Linus Torvalds wrote:
>
> +static inline bool tabspc(char c) { return c == ' ' || c == '\t'; }
> +static inline bool no_tab_or_space(const char *first, const char *last)
> +{
> + // Skip leading space
> + for (;tabspc(*first) ; first++)
> + if (!*first || first == last
On Fri, Feb 15, 2019 at 8:39 AM Linus Torvalds
wrote:
>
> On Fri, Feb 15, 2019 at 8:18 AM Oleg Nesterov wrote:
> >
> > Not sure. Consider a script file which has a single line
> >
> > #!/path/to/interpreter
> >
> > WITHOUT '\n' at the end.
>
> Heh. I'm not sure how valid that is, but it's
On Fri, Feb 15, 2019 at 8:18 AM Oleg Nesterov wrote:
>
> Not sure. Consider a script file which has a single line
>
> #!/path/to/interpreter
>
> WITHOUT '\n' at the end.
Heh. I'm not sure how valid that is, but it's an interesting case for sure.
But it's actually fairly easy to fix with
On Fri, Feb 15, 2019 at 8:18 AM Oleg Nesterov wrote:
> WITHOUT '\n' at the end. If I read load_script() correctly it should work,
> so I think the 2nd for() loop should also reset "truncated" if *cp == '\0'.
Correct. My original v3 handles this correctly. I'll work on a version
with small inline
On 02/14, Kees Cook wrote:
>
> --- a/fs/binfmt_script.c
> +++ b/fs/binfmt_script.c
> @@ -42,9 +42,18 @@ static int load_script(struct linux_binprm *bprm)
> fput(bprm->file);
> bprm->file = NULL;
>
> - bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
> - if ((cp = strchr(bprm->buf,
On Fri, Feb 15, 2019 at 7:55 AM Linus Torvalds
wrote:
>
> On Thu, Feb 14, 2019 at 10:15 PM Kees Cook wrote:
> >
> > The only way we know the interpreter wasn't truncated in the
> > no-newline case is if we see whitespace after first skipping any
> > leading whitespace, and it seemed really ugly t
On Fri, Feb 15, 2019 at 8:05 AM Linus Torvalds
wrote:
>
> And even that doesn't really fix it, because what it really wants is
> "strnchr()" (to stop at a NUL too). Which doesn't exist.
.. actually it does exist in the kernel, and I should read all my
emails before writing new ones, because you h
On Fri, Feb 15, 2019 at 7:54 AM Linus Torvalds
wrote:
>
> What's wrong with this simple and fairly self-describing patch?
Simple but with two bugs.
First off, the trivial one: I transposed the arguments to memchr(). It
would need to be
cp = memchr(bprm->buf, '\n', BINPRM_BUF_SIZE);
bec
On Thu, Feb 14, 2019 at 10:15 PM Kees Cook wrote:
>
> The only way we know the interpreter wasn't truncated in the
> no-newline case is if we see whitespace after first skipping any
> leading whitespace, and it seemed really ugly to add a special scan
> there.
No, much easier (and likely better c
On Thu, Feb 14, 2019 at 10:14 PM Kees Cook wrote:
> But, as it turns out, the above is actually wrong too (yay for my test
> cases): the NUL termination before the loop (line 45) may blow away
> the newline at byte 127. So we need to actually manually scan for the
> newline while doing the out-of-
On Thu, Feb 14, 2019 at 8:49 PM Linus Torvalds
wrote:
>
>
>
> On Thu, Feb 14, 2019, 19:18 Kees Cook >
>>
>> fs/binfmt_script.c | 97 +++---
>> 1 file changed, 82 insertions(+), 15 deletions(-)
>
> No, why?
In my defense, 56 of those 82 lines are comments.
12 matches
Mail list logo
