From: Kees Cook <keescook@chromium.org>
To: Ariadne Conill <ariadne@dereferenced.org>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Eric Biederman <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH v2] fs/exec: require argv[0] presence in do_execveat_common()
Date: Wed, 26 Jan 2022 14:49:13 -0800 [thread overview]
Message-ID: <202201261440.0C13601104@keescook> (raw)
In-Reply-To: <64e91dc2-7f5c-6e8-308e-414c82a8ae6b@dereferenced.org>
On Wed, Jan 26, 2022 at 03:30:13PM -0600, Ariadne Conill wrote:
> Hi,
>
> On Wed, 26 Jan 2022, Kees Cook wrote:
>
> > On Wed, Jan 26, 2022 at 03:13:10PM -0600, Ariadne Conill wrote:
> > > Looks good to me, but I wonder if we shouldn't set an argv of
> > > {bprm->filename, NULL} instead of {"", NULL}. Discussion in IRC led to the
> > > realization that multicall programs will try to use argv[0] and might crash
> > > in this scenario. If we're going to fake an argv, I guess we should try to
> > > do it right.
> >
> > They're crashing currently, though, yes? I think the goal is to move
> > toward making execve(..., NULL, NULL) just not work at all. Using the
> > {"", NULL} injection just gets us closer to protecting a bad userspace
> > program. I think things _should_ crash if they try to start depending
> > on this work-around.
>
> Is there a reason to spawn a program, just to have it crash, rather than
> just denying it to begin with, though?
I think the correct behavior here is to unconditionally reject a NULL
argv -- and I wish this had gotten fixed in 2008. :P Given the code we've
found that depends on NULL argv, I think we likely can't make the change
outright, so we're down this weird rabbit hole of trying to reject what we
can and create work-around behaviors for the cases that currently exist.
I think new users of the new work-around shouldn't be considered. We'd
prefer they get a rejection, etc.
> I mean, it all seems fine enough, and perhaps I'm just a bit picky on the
> colors and flavors of my bikesheds, so if you want to go with this patch,
> I'll be glad to carry it in the Alpine security update I am doing to make
> sure the *other* GLib-using SUID programs people find don't get exploited in
> the same way.
They "don't break userspace" guideline is really "don't break userspace
if someone notices". :P Since this is a mitigation (not strictly a
security flaw fix), changes to userspace behavior tend to be very
conservatively viewed by Linus. ;)
My preference is the earlier very simple version to fix this:
diff --git a/fs/exec.c b/fs/exec.c
index 79f2c9483302..aabadcf4a525 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1897,6 +1897,8 @@ static int do_execveat_common(int fd, struct filename *filename,
}
retval = count(argv, MAX_ARG_STRINGS);
+ if (reval == 0)
+ retval = -EINVAL;
if (retval < 0)
goto out_free;
bprm->argc = retval;
So, I guess we should start there and send a patch to valgrind?
--
Kees Cook
next prev parent reply other threads:[~2022-01-26 22:49 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-26 11:44 [PATCH v2] fs/exec: require argv[0] presence in do_execveat_common() Ariadne Conill
2022-01-26 14:40 ` Matthew Wilcox
2022-01-26 17:41 ` Ariadne Conill
2022-01-26 14:59 ` Matthew Wilcox
2022-01-26 16:40 ` Kees Cook
2022-01-26 16:57 ` Eric W. Biederman
2022-01-26 17:32 ` Ariadne Conill
2022-01-26 18:03 ` Matthew Wilcox
2022-01-26 18:38 ` Ariadne Conill
2022-01-26 20:09 ` Kees Cook
2022-01-26 20:23 ` Ariadne Conill
2022-01-26 20:56 ` Kees Cook
2022-01-26 21:13 ` Ariadne Conill
2022-01-26 21:25 ` Kees Cook
2022-01-26 21:30 ` Ariadne Conill
2022-01-26 22:49 ` Kees Cook [this message]
2022-01-26 23:07 ` Ariadne Conill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202201261440.0C13601104@keescook \
--to=keescook@chromium.org \
--cc=ariadne@dereferenced.org \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).