Kees Cook <keescook@xxxxxxxxxxxx> writes: > On Wed, Jan 26, 2022 at 12:33:39PM +0000, Heikki Kallasjoki wrote: >> On Wed, Jan 26, 2022 at 05:18:58AM -0600, Ariadne Conill wrote: >> > On Tue, 25 Jan 2022, Kees Cook wrote: >> > > Lots of stuff likes to do: >> > > execve(path, NULL, NULL); >> > >> > I looked at these, and these seem to basically be lazily-written test cases >> > which should be fixed. I didn't see any example of real-world applications >> > doing this. As noted in some of the test cases, there are comments like >> > "Solaris doesn't support this," etc. >> >> See also the (small) handful of instances of `execlp(cmd, NULL);` out >> there, which I imagine would start to fail: >> https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0 >> >> Two of the hits (ispell, nauty) would seem to be non-test use cases. > > Ah yeah, I've added this to the Issue tracker: > https://github.com/KSPP/linux/issues/176 I just took a slightly deeper look at these. There are two patterns found by that search. - execlp("/proc/self/exec", NULL) Which in both both the proot and care packages is a testt that deliberately loops and checks to see if it can generate "argc == 0". That is the case where changing argc == 0 into { "", NULL } will loop forever. For that test failing to exec the "argc == 0" will cause a test failure but for a security issue that seems a reasonable thing to do to a test. - execlp(MACRO, NULL) The macro happens to contain commas so what looks via inspection will generate an application run with "argc == 0" actually does not. Eric
