Re: [PATCH v2] fs/exec: require argv[0] presence in do_execveat_common()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 26, 2022 at 03:30:13PM -0600, Ariadne Conill wrote:
> Hi,
> 
> On Wed, 26 Jan 2022, Kees Cook wrote:
> 
> > On Wed, Jan 26, 2022 at 03:13:10PM -0600, Ariadne Conill wrote:
> > > Looks good to me, but I wonder if we shouldn't set an argv of
> > > {bprm->filename, NULL} instead of {"", NULL}.  Discussion in IRC led to the
> > > realization that multicall programs will try to use argv[0] and might crash
> > > in this scenario.  If we're going to fake an argv, I guess we should try to
> > > do it right.
> > 
> > They're crashing currently, though, yes? I think the goal is to move
> > toward making execve(..., NULL, NULL) just not work at all. Using the
> > {"", NULL} injection just gets us closer to protecting a bad userspace
> > program. I think things _should_ crash if they try to start depending
> > on this work-around.
> 
> Is there a reason to spawn a program, just to have it crash, rather than
> just denying it to begin with, though?

I think the correct behavior here is to unconditionally reject a NULL
argv -- and I wish this had gotten fixed in 2008. :P Given the code we've
found that depends on NULL argv, I think we likely can't make the change
outright, so we're down this weird rabbit hole of trying to reject what we
can and create work-around behaviors for the cases that currently exist.
I think new users of the new work-around shouldn't be considered. We'd
prefer they get a rejection, etc.

> I mean, it all seems fine enough, and perhaps I'm just a bit picky on the
> colors and flavors of my bikesheds, so if you want to go with this patch,
> I'll be glad to carry it in the Alpine security update I am doing to make
> sure the *other* GLib-using SUID programs people find don't get exploited in
> the same way.

They "don't break userspace" guideline is really "don't break userspace
if someone notices". :P Since this is a mitigation (not strictly a
security flaw fix), changes to userspace behavior tend to be very
conservatively viewed by Linus. ;)

My preference is the earlier very simple version to fix this:

diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..aabadcf4a525 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1897,6 +1897,8 @@ static int do_execveat_common(int fd, struct filename *filename,
 	}
 
 	retval = count(argv, MAX_ARG_STRINGS);
+	if (reval == 0)
+		retval = -EINVAL;
 	if (retval < 0)
 		goto out_free;
 	bprm->argc = retval;

So, I guess we should start there and send a patch to valgrind?

-- 
Kees Cook



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux