amadio/linux-3.11.1-shebang-multiple-args.patch

## linux-3.11.1-shebang-multiple-args.patch

Add support for shebang lines with multiple arguments.

Signed-off-by: Guilherme Amadio <guilherme.amadio@gmail.com>

--- a/fs/binfmt_script.c	2013-09-02 17:46:10.000000000 -0300
+++ b/fs/binfmt_script.c	2013-09-21 00:44:05.516150638 -0300
@@ -16,86 +16,121 @@

 static int load_script(struct linux_binprm *bprm)
 {
-	const char *i_arg, *i_name;
-	char *cp;
+	const char *old_interp;
+	char *cp, *start, *end;
 	struct file *file;
-	char interp[BINPRM_BUF_SIZE];
+	char bprm_buf_copy[BINPRM_BUF_SIZE];
 	int retval;

 	if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!'))
 		return -ENOEXEC;
-	/*
-	 * This section does the #! interpretation.
-	 * Sorta complicated, but hopefully it will work.  -TYT
+
+	/* Work on a copy of bprm->buf to avoid corrupting it
+	 * and ruining attempts of other handlers for it if we
+	 * are not the right one.
 	 */
+	memcpy(bprm_buf_copy, bprm->buf, BINPRM_BUF_SIZE);

-	allow_write_access(bprm->file);
-	fput(bprm->file);
-	bprm->file = NULL;
+	start = bprm_buf_copy+2;
+	end   = bprm_buf_copy+BINPRM_BUF_SIZE-1;

-	bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
-	if ((cp = strchr(bprm->buf, '\n')) == NULL)
-		cp = bprm->buf+BINPRM_BUF_SIZE-1;
-	*cp = '\0';
-	while (cp > bprm->buf) {
-		cp--;
-		if ((*cp == ' ') || (*cp == '\t'))
-			*cp = '\0';
-		else
+	/* Find beginning and end of the line */
+	for (cp = start; cp < end; cp++) {
+		if (*cp != ' ' && *cp != '\t') {
+			start = cp;
 			break;
+		}
 	}
-	for (cp = bprm->buf+2; (*cp == ' ') || (*cp == '\t'); cp++);
-	if (*cp == '\0')
-		return -ENOEXEC; /* No interpreter name found */
-	i_name = cp;
-	i_arg = NULL;
-	for ( ; *cp && (*cp != ' ') && (*cp != '\t'); cp++)
-		/* nothing */ ;
-	while ((*cp == ' ') || (*cp == '\t'))
+
+	for (cp = start; cp < end; cp++) {
+		if (*cp == '#' || *cp == '\n') {
+			end = cp;
+			break;
+		}
+	}
+
+	/* No interpreter found, let other handlers try it */
+	if (start == end)
+		return -ENOEXEC;
+
+	*end = '\0';
+
+	/* Find the end of the interpreter name */
+	for (cp = start; cp < end; cp++)
+		if (*cp == ' ' || *cp == '\t')
+			break;
+
+	/* Skip over space until first argument */
+	while (cp < end && (*cp == ' ' || *cp == '\t'))
 		*cp++ = '\0';
-	if (*cp)
-		i_arg = cp;
-	strcpy (interp, i_name);
-	/*
-	 * OK, we've parsed out the interpreter name and
-	 * (optional) argument.
-	 * Splice in (1) the interpreter's name for argv[0]
-	 *           (2) (optional) argument to interpreter
-	 *           (3) filename of shell script (replace argv[0])
-	 *
-	 * This is done in reverse order, because of how the
-	 * user environment and arguments are stored.
+
+	old_interp = bprm->interp;
+	bprm->interp = start;
+
+	/* From this point, we know that we are the correct handler
+	 * for this file. After we modify bprm, we cannot let other
+	 * handlers try anymore. We now need to build a list with
+	 * the new interpreter and the arguments, but in reverse
+	 * order, because of the way user environment and arguments
+	 * are stored.
 	 */
+
 	retval = remove_arg_zero(bprm);
 	if (retval)
 		return retval;
-	retval = copy_strings_kernel(1, &bprm->interp, bprm);
-	if (retval < 0) return retval;
+	retval = copy_strings_kernel(1, &old_interp, bprm);
+	if (retval < 0)
+		goto out;
 	bprm->argc++;
-	if (i_arg) {
-		retval = copy_strings_kernel(1, &i_arg, bprm);
-		if (retval < 0) return retval;
+
+	start = cp; cp = end;
+
+	while (cp > start) {
+		const char *arg;
+		/* Back up over trailing space */
+		do {
+			*cp-- = '\0';
+		} while (cp > start && (*cp == ' ' || *cp == '\t'));
+
+		/* Find the beginning of the argument */
+		while (cp >= start && *cp != ' ' && *cp != '\t') cp--;
+
+		arg = cp+1;
+		retval = copy_strings_kernel(1, &arg, bprm);
+		if (retval < 0)
+			goto out;
 		bprm->argc++;
 	}
-	retval = copy_strings_kernel(1, &i_name, bprm);
-	if (retval) return retval;
-	bprm->argc++;
-	retval = bprm_change_interp(interp, bprm);
-	if (retval < 0)
-		return retval;

-	/*
-	 * OK, now restart the process with the interpreter's dentry.
-	 */
-	file = open_exec(interp);
-	if (IS_ERR(file))
-		return PTR_ERR(file);
+	retval = copy_strings_kernel(1, &bprm->interp, bprm);
+	if (retval)
+		goto out;
+	bprm->argc++;

+	allow_write_access(bprm->file);
+	fput(bprm->file);
+	bprm->file = NULL;
+	file = open_exec(bprm->interp);
+	if (IS_ERR(file)) {
+		retval = PTR_ERR(file);
+		goto out;
+	}
 	bprm->file = file;
 	retval = prepare_binprm(bprm);
 	if (retval < 0)
-		return retval;
-	return search_binary_handler(bprm);
+		goto out;
+
+	bprm->recursion_depth++;
+	retval = search_binary_handler(bprm);
+
+out:
+	/* Restore old_interp to avoid stack data leak */
+	bprm->interp = old_interp;
+
+	if (retval == -ENOEXEC)
+		return -EINVAL;
+
+	return retval;
 }

 static struct linux_binfmt script_format = {

	Add support for shebang lines with multiple arguments.

	Signed-off-by: Guilherme Amadio <guilherme.amadio@gmail.com>

	--- a/fs/binfmt_script.c 2013-09-02 17:46:10.000000000 -0300
	+++ b/fs/binfmt_script.c 2013-09-21 00:44:05.516150638 -0300
	@@ -16,86 +16,121 @@

	static int load_script(struct linux_binprm *bprm)
	{
	- const char i_arg, i_name;
	- char *cp;
	+ const char *old_interp;
	+ char cp, start, *end;
	struct file *file;
	- char interp[BINPRM_BUF_SIZE];
	+ char bprm_buf_copy[BINPRM_BUF_SIZE];
	int retval;

	if ((bprm->buf[0] != '#') \|\| (bprm->buf[1] != '!'))
	return -ENOEXEC;
	- /*
	- * This section does the #! interpretation.
	- * Sorta complicated, but hopefully it will work. -TYT
	+
	+ /* Work on a copy of bprm->buf to avoid corrupting it
	+ * and ruining attempts of other handlers for it if we
	+ * are not the right one.
	*/
	+ memcpy(bprm_buf_copy, bprm->buf, BINPRM_BUF_SIZE);

	- allow_write_access(bprm->file);
	- fput(bprm->file);
	- bprm->file = NULL;
	+ start = bprm_buf_copy+2;
	+ end = bprm_buf_copy+BINPRM_BUF_SIZE-1;

	- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
	- if ((cp = strchr(bprm->buf, '\n')) == NULL)
	- cp = bprm->buf+BINPRM_BUF_SIZE-1;
	- *cp = '\0';
	- while (cp > bprm->buf) {
	- cp--;
	- if ((cp == ' ') \|\| (cp == '\t'))
	- *cp = '\0';
	- else
	+ /* Find beginning and end of the line */
	+ for (cp = start; cp < end; cp++) {
	+ if (cp != ' ' && cp != '\t') {
	+ start = cp;
	break;
	+ }
	}
	- for (cp = bprm->buf+2; (cp == ' ') \|\| (cp == '\t'); cp++);
	- if (*cp == '\0')
	- return -ENOEXEC; /* No interpreter name found */
	- i_name = cp;
	- i_arg = NULL;
	- for ( ; cp && (cp != ' ') && (*cp != '\t'); cp++)
	- /* nothing */ ;
	- while ((cp == ' ') \|\| (cp == '\t'))
	+
	+ for (cp = start; cp < end; cp++) {
	+ if (cp == '#' \|\| cp == '\n') {
	+ end = cp;
	+ break;
	+ }
	+ }
	+
	+ /* No interpreter found, let other handlers try it */
	+ if (start == end)
	+ return -ENOEXEC;
	+
	+ *end = '\0';
	+
	+ /* Find the end of the interpreter name */
	+ for (cp = start; cp < end; cp++)
	+ if (cp == ' ' \|\| cp == '\t')
	+ break;
	+
	+ /* Skip over space until first argument */
	+ while (cp < end && (cp == ' ' \|\| cp == '\t'))
	*cp++ = '\0';
	- if (*cp)
	- i_arg = cp;
	- strcpy (interp, i_name);
	- /*
	- * OK, we've parsed out the interpreter name and
	- * (optional) argument.
	- * Splice in (1) the interpreter's name for argv[0]
	- * (2) (optional) argument to interpreter
	- * (3) filename of shell script (replace argv[0])
	- *
	- * This is done in reverse order, because of how the
	- * user environment and arguments are stored.
	+
	+ old_interp = bprm->interp;
	+ bprm->interp = start;
	+
	+ /* From this point, we know that we are the correct handler
	+ * for this file. After we modify bprm, we cannot let other
	+ * handlers try anymore. We now need to build a list with
	+ * the new interpreter and the arguments, but in reverse
	+ * order, because of the way user environment and arguments
	+ * are stored.
	*/
	+
	retval = remove_arg_zero(bprm);
	if (retval)
	return retval;
	- retval = copy_strings_kernel(1, &bprm->interp, bprm);
	- if (retval < 0) return retval;
	+ retval = copy_strings_kernel(1, &old_interp, bprm);
	+ if (retval < 0)
	+ goto out;
	bprm->argc++;
	- if (i_arg) {
	- retval = copy_strings_kernel(1, &i_arg, bprm);
	- if (retval < 0) return retval;
	+
	+ start = cp; cp = end;
	+
	+ while (cp > start) {
	+ const char *arg;
	+ /* Back up over trailing space */
	+ do {
	+ *cp-- = '\0';
	+ } while (cp > start && (cp == ' ' \|\| cp == '\t'));
	+
	+ /* Find the beginning of the argument */
	+ while (cp >= start && cp != ' ' && cp != '\t') cp--;
	+
	+ arg = cp+1;
	+ retval = copy_strings_kernel(1, &arg, bprm);
	+ if (retval < 0)
	+ goto out;
	bprm->argc++;
	}
	- retval = copy_strings_kernel(1, &i_name, bprm);
	- if (retval) return retval;
	- bprm->argc++;
	- retval = bprm_change_interp(interp, bprm);
	- if (retval < 0)
	- return retval;

	- /*
	- * OK, now restart the process with the interpreter's dentry.
	- */
	- file = open_exec(interp);
	- if (IS_ERR(file))
	- return PTR_ERR(file);
	+ retval = copy_strings_kernel(1, &bprm->interp, bprm);
	+ if (retval)
	+ goto out;
	+ bprm->argc++;

	+ allow_write_access(bprm->file);
	+ fput(bprm->file);
	+ bprm->file = NULL;
	+ file = open_exec(bprm->interp);
	+ if (IS_ERR(file)) {
	+ retval = PTR_ERR(file);
	+ goto out;
	+ }
	bprm->file = file;
	retval = prepare_binprm(bprm);
	if (retval < 0)
	- return retval;
	- return search_binary_handler(bprm);
	+ goto out;
	+
	+ bprm->recursion_depth++;
	+ retval = search_binary_handler(bprm);
	+
	+out:
	+ /* Restore old_interp to avoid stack data leak */
	+ bprm->interp = old_interp;
	+
	+ if (retval == -ENOEXEC)
	+ return -EINVAL;
	+
	+ return retval;
	}

	static struct linux_binfmt script_format = {