kernel: reject bogus two byte "#!" shell scripts in sysexec()
- reject files smaller or equal to two bytes, they are bogus - fix out of bounds access in shargs() when n <= 2 - only copy the bytes read into line buffer - use nil for pointers instead of 0
This commit is contained in:
cinap_lenrek
parent
8ed25f24b7
commit
9ab096a707
1 changed files with 18 additions and 18 deletions
|
|
@ -278,19 +278,18 @@ sysexec(va_list list)
|
||||||
kstrdup(&elem, up->genbuf);
|
kstrdup(&elem, up->genbuf);
|
||||||
|
|
||||||
n = devtab[tc->type]->read(tc, &exec, sizeof(Exec), 0);
|
n = devtab[tc->type]->read(tc, &exec, sizeof(Exec), 0);
|
||||||
if(n < 2)
|
if(n <= 2)
|
||||||
error(Ebadexec);
|
error(Ebadexec);
|
||||||
magic = l2be(exec.magic);
|
if(n == sizeof(Exec) && (magic = l2be(exec.magic)) == AOUT_MAGIC){
|
||||||
text = l2be(exec.text);
|
text = l2be(exec.text);
|
||||||
entry = l2be(exec.entry);
|
entry = l2be(exec.entry);
|
||||||
if(n==sizeof(Exec) && (magic == AOUT_MAGIC)){
|
|
||||||
switch(magic){
|
switch(magic){
|
||||||
case S_MAGIC:
|
case S_MAGIC:
|
||||||
text += 8;
|
text += 8;
|
||||||
align = 0x200000ull; /* 2MB segment alignment for amd64 */
|
align = 0x200000; /* 2MB segment alignment for amd64 */
|
||||||
break;
|
break;
|
||||||
case V_MAGIC:
|
case V_MAGIC:
|
||||||
align = 0x4000ull; /* MIPS has 16K page alignment */
|
align = 0x4000; /* MIPS has 16K page alignment */
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if(text >= (USTKTOP-USTKSIZE)-(UTZERO+sizeof(Exec))
|
if(text >= (USTKTOP-USTKSIZE)-(UTZERO+sizeof(Exec))
|
||||||
|
|
@ -303,18 +302,18 @@ sysexec(va_list list)
|
||||||
/*
|
/*
|
||||||
* Process #! /bin/sh args ...
|
* Process #! /bin/sh args ...
|
||||||
*/
|
*/
|
||||||
memmove(line, &exec, sizeof(Exec));
|
memmove(line, &exec, n);
|
||||||
if(indir || line[0]!='#' || line[1]!='!')
|
if(indir || line[0]!='#' || line[1]!='!')
|
||||||
error(Ebadexec);
|
error(Ebadexec);
|
||||||
n = shargs(line, n, progarg);
|
n = shargs(line, n, progarg);
|
||||||
if(n == 0)
|
if(n < 1)
|
||||||
error(Ebadexec);
|
error(Ebadexec);
|
||||||
indir = 1;
|
indir = 1;
|
||||||
/*
|
/*
|
||||||
* First arg becomes complete file name
|
* First arg becomes complete file name
|
||||||
*/
|
*/
|
||||||
progarg[n++] = file;
|
progarg[n++] = file;
|
||||||
progarg[n] = 0;
|
progarg[n] = nil;
|
||||||
argp0++;
|
argp0++;
|
||||||
file = progarg[0];
|
file = progarg[0];
|
||||||
if(strlen(elem) >= sizeof progelem)
|
if(strlen(elem) >= sizeof progelem)
|
||||||
|
|
@ -539,27 +538,28 @@ shargs(char *s, int n, char **ap)
|
||||||
|
|
||||||
s += 2;
|
s += 2;
|
||||||
n -= 2; /* skip #! */
|
n -= 2; /* skip #! */
|
||||||
for(i=0; s[i]!='\n'; i++)
|
for(i=0;; i++){
|
||||||
if(i == n-1)
|
if(i >= n)
|
||||||
return 0;
|
return 0;
|
||||||
|
if(s[i]=='\n')
|
||||||
|
break;
|
||||||
|
}
|
||||||
s[i] = 0;
|
s[i] = 0;
|
||||||
*ap = 0;
|
|
||||||
i = 0;
|
i = 0;
|
||||||
for(;;) {
|
for(;;) {
|
||||||
while(*s==' ' || *s=='\t')
|
while(*s==' ' || *s=='\t')
|
||||||
s++;
|
s++;
|
||||||
if(*s == 0)
|
if(*s == 0)
|
||||||
break;
|
break;
|
||||||
i++;
|
ap[i++] = s++;
|
||||||
*ap++ = s;
|
|
||||||
*ap = 0;
|
|
||||||
while(*s && *s!=' ' && *s!='\t')
|
while(*s && *s!=' ' && *s!='\t')
|
||||||
s++;
|
s++;
|
||||||
if(*s == 0)
|
if(*s == 0)
|
||||||
break;
|
break;
|
||||||
else
|
*s++ = 0;
|
||||||
*s++ = 0;
|
|
||||||
}
|
}
|
||||||
|
ap[i] = nil;
|
||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue