On Wed, Jan 26, 2022 at 04:39:47AM +0000, Ariadne Conill wrote: > The first argument to argv when used with execv family of calls is > required to be the name of the program being executed, per POSIX. > > By validating this in do_execveat_common(), we can prevent execution > of shellcode which invokes execv(2) family syscalls with argc < 1, > a scenario which is disallowed by POSIX, thus providing a mitigation > against CVE-2021-4034 and similar bugs in the future. > > The use of -EFAULT for this case is similar to other systems, such > as FreeBSD and OpenBSD. > > Interestingly, Michael Kerrisk opened an issue about this in 2008, > but there was no consensus to support fixing this issue then. > Hopefully now that CVE-2021-4034 shows practical exploitative use > of this bug in a shellcode, we can reconsider. > > Signed-off-by: Ariadne Conill <ariadne@xxxxxxxxxxxxxxxx> Yup. Agreed. For context: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt > --- > fs/exec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 79f2c9483302..de0b832473ed 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1897,8 +1897,10 @@ static int do_execveat_common(int fd, struct filename *filename, > } > > retval = count(argv, MAX_ARG_STRINGS); > - if (retval < 0) > + if (retval < 1) { > + retval = -EFAULT; > goto out_free; > + } There shouldn't be anything legitimate actually doing this in userspace. -Kees > bprm->argc = retval; > > retval = count(envp, MAX_ARG_STRINGS); > -- > 2.34.1 > -- Kees Cook
