linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ariadne Conill <ariadne@dereferenced.org>
To: linux-kernel@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org,
	Eric Biederman <ebiederm@xmission.com>,
	Kees Cook <keescook@chromium.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Ariadne Conill <ariadne@dereferenced.org>
Subject: [PATCH] fs/exec: require argv[0] presence in do_execveat_common()
Date: Wed, 26 Jan 2022 04:39:47 +0000	[thread overview]
Message-ID: <20220126043947.10058-1-ariadne@dereferenced.org> (raw)

The first argument to argv when used with execv family of calls is
required to be the name of the program being executed, per POSIX.

By validating this in do_execveat_common(), we can prevent execution
of shellcode which invokes execv(2) family syscalls with argc < 1,
a scenario which is disallowed by POSIX, thus providing a mitigation
against CVE-2021-4034 and similar bugs in the future.

The use of -EFAULT for this case is similar to other systems, such
as FreeBSD and OpenBSD.

Interestingly, Michael Kerrisk opened an issue about this in 2008,
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use
of this bug in a shellcode, we can reconsider.

Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
---
 fs/exec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..de0b832473ed 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1897,8 +1897,10 @@ static int do_execveat_common(int fd, struct filename *filename,
 	}
 
 	retval = count(argv, MAX_ARG_STRINGS);
-	if (retval < 0)
+	if (retval < 1) {
+		retval = -EFAULT;
 		goto out_free;
+	}
 	bprm->argc = retval;
 
 	retval = count(envp, MAX_ARG_STRINGS);
-- 
2.34.1


             reply	other threads:[~2022-01-26  4:48 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-26  4:39 Ariadne Conill [this message]
2022-01-26  6:42 ` [PATCH] fs/exec: require argv[0] presence in do_execveat_common() Kees Cook
2022-01-26  7:28   ` Kees Cook
2022-01-26 11:18     ` Ariadne Conill
2022-01-26 12:33       ` Heikki Kallasjoki
2022-01-26 23:57         ` Kees Cook
2022-01-27  0:20           ` Eric W. Biederman
2022-01-26 16:59     ` David Laight
2022-01-26 13:27 ` Rich Felker
2022-01-26 14:46   ` Christian Brauner
2022-01-26 17:37   ` Ariadne Conill
2022-02-01 20:54   ` hypervis0r
2022-01-26 15:02 Alexey Dobriyan
2022-01-27  0:00 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220126043947.10058-1-ariadne@dereferenced.org \
    --to=ariadne@dereferenced.org \
    --cc=ebiederm@xmission.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).