On January 25, 2022 10:42:41 PM PST, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >On Wed, Jan 26, 2022 at 04:39:47AM +0000, Ariadne Conill wrote: >> The first argument to argv when used with execv family of calls is >> required to be the name of the program being executed, per POSIX. >> >> By validating this in do_execveat_common(), we can prevent execution >> of shellcode which invokes execv(2) family syscalls with argc < 1, >> a scenario which is disallowed by POSIX, thus providing a mitigation >> against CVE-2021-4034 and similar bugs in the future. >> >> The use of -EFAULT for this case is similar to other systems, such >> as FreeBSD and OpenBSD. >> >> Interestingly, Michael Kerrisk opened an issue about this in 2008, For v2 please include a URL for this. I assume you mean this one? https://bugzilla.kernel.org/show_bug.cgi?id=8408 >> but there was no consensus to support fixing this issue then. >> Hopefully now that CVE-2021-4034 shows practical exploitative use >> of this bug in a shellcode, we can reconsider. >> >> Signed-off-by: Ariadne Conill <ariadne@xxxxxxxxxxxxxxxx> > >Yup. Agreed. For context: >https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt > >> --- >> fs/exec.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/fs/exec.c b/fs/exec.c >> index 79f2c9483302..de0b832473ed 100644 >> --- a/fs/exec.c >> +++ b/fs/exec.c >> @@ -1897,8 +1897,10 @@ static int do_execveat_common(int fd, struct filename *filename, >> } >> >> retval = count(argv, MAX_ARG_STRINGS); >> - if (retval < 0) >> + if (retval < 1) { >> + retval = -EFAULT; >> goto out_free; >> + } Actually, no, this needs to be more carefully special-cased to avoid masking error returns from count(). (e.g. -E2BIG would vanish with this patch.) Perhaps just add: if (retval == 0) { retval = -EFAULT; goto out_free; } > >There shouldn't be anything legitimate actually doing this in userspace. I spoke too soon. Unfortunately, this is not the case: https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 Lots of stuff likes to do: execve(path, NULL, NULL); Do these things depend on argc==0 would be my next question... > >-Kees > >> bprm->argc = retval; >> >> retval = count(envp, MAX_ARG_STRINGS); >> -- >> 2.34.1 >> > -- Kees Cook
