From: Kees Cook <keescook@chromium.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Ariadne Conill <ariadne@dereferenced.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Eric Biederman <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH v2] fs/exec: require argv[0] presence in do_execveat_common()
Date: Wed, 26 Jan 2022 08:40:49 -0800 [thread overview]
Message-ID: <202201260832.CCC8BB9@keescook> (raw)
In-Reply-To: <YfFh6O2JS6MybamT@casper.infradead.org>
On Wed, Jan 26, 2022 at 02:59:52PM +0000, Matthew Wilcox wrote:
> On Wed, Jan 26, 2022 at 11:44:47AM +0000, Ariadne Conill wrote:
> > Interestingly, Michael Kerrisk opened an issue about this in 2008[1],
> > but there was no consensus to support fixing this issue then.
> > Hopefully now that CVE-2021-4034 shows practical exploitative use
> > of this bug in a shellcode, we can reconsider.
> >
> > [0]: https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
> > [1]: https://bugzilla.kernel.org/show_bug.cgi?id=8408
>
> Having now read 8408 ... if ABI change is a concern (and I really doubt
> it is), we could treat calling execve() with a NULL argv as if the
> caller had passed an array of length 1 with the first element set to
> NULL. Just like we reopen fds 0,1,2 for suid execs if they were closed.
I was having similar thoughts this morning. We can't actually change the
argc, though, because of the various tests (see the debian code search
links) that explicitly tests for argc == 0 in the child. But, the flaw
is not the count, but rather that argv == argp in the argc == 0 case.
(Or that argv NULL-checking iteration begins at argv[1].)
But that would could fix easily by just adding an extra NULL. e.g.:
Currently:
argc = 1
argv = "foo", NULL
envp = "bar=baz", ..., NULL
argc = 0
argv = NULL
envp = "bar=baz", ..., NULL
We could just make the argc = 0 case be:
argc = 0
argv = NULL, NULL
envp = "bar=baz", ..., NULL
We need to be careful with the stack utilization counts, though, so I'm
thinking we could actually make this completely unconditional and just
pad envp by 1 NULL on the user stack:
argv = "what", "ever", NULL
NULL
envp = "bar=baz", ..., NULL
My only concern there is that there may be some code out there that
depends on envp immediately following the trailing argv NULL, so I think
my preference would be to pad only in the argc == 0 case and correctly
manage the stack utilization.
--
Kees Cook
next prev parent reply other threads:[~2022-01-26 16:40 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-26 11:44 [PATCH v2] fs/exec: require argv[0] presence in do_execveat_common() Ariadne Conill
2022-01-26 14:40 ` Matthew Wilcox
2022-01-26 17:41 ` Ariadne Conill
2022-01-26 14:59 ` Matthew Wilcox
2022-01-26 16:40 ` Kees Cook [this message]
2022-01-26 16:57 ` Eric W. Biederman
2022-01-26 17:32 ` Ariadne Conill
2022-01-26 18:03 ` Matthew Wilcox
2022-01-26 18:38 ` Ariadne Conill
2022-01-26 20:09 ` Kees Cook
2022-01-26 20:23 ` Ariadne Conill
2022-01-26 20:56 ` Kees Cook
2022-01-26 21:13 ` Ariadne Conill
2022-01-26 21:25 ` Kees Cook
2022-01-26 21:30 ` Ariadne Conill
2022-01-26 22:49 ` Kees Cook
2022-01-26 23:07 ` Ariadne Conill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202201260832.CCC8BB9@keescook \
--to=keescook@chromium.org \
--cc=ariadne@dereferenced.org \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.