When handling the argc == 0 case, the stack space calculation should be using max() not min(). Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- This is a fix for exec-force-single-empty-string-when-argv-is-empty.patch https://lore.kernel.org/mm-commits/20220201004100.BF6D6C340E8@xxxxxxxxxxxxxxx/ --- fs/exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index bbf3aadf7ce1..40b1008fb0f7 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -502,7 +502,7 @@ static int bprm_stack_limits(struct linux_binprm *bprm) * argc can never be 0, to keep them from walking envp by accident. * See do_execveat_common(). */ - ptr_size = (min(bprm->argc, 1) + bprm->envc) * sizeof(void *); + ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *); if (limit <= ptr_size) return -E2BIG; limit -= ptr_size; -- 2.30.2
