From: Kees Cook <kees@kernel.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Kees Cook" <kees@kernel.org>,
syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
"Eric Biederman" <ebiederm@xmission.com>,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
"Tycho Andersen" <tandersen@netflix.com>,
"Zbigniew Jędrzejewski-Szmek" <zbyszek@in.waw.pl>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH] exec: NULL out bprm->argv0 when it is an ERR_PTR
Date: Tue, 5 Nov 2024 10:19:11 -0800 [thread overview]
Message-ID: <20241105181905.work.462-kees@kernel.org> (raw)
Attempting to free an ERR_PTR will not work. ;)
process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added
kernel BUG at arch/x86/mm/physaddr.c:23!
Set bprm->argv0 to NULL if it fails to get a string from userspace so
that bprm_free() will not try to free an invalid pointer when cleaning up.
Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com
Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case")
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-mm@kvack.org
---
fs/exec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index 79045c1d1608..65448ea609a2 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1522,8 +1522,12 @@ static int bprm_add_fixup_comm(struct linux_binprm *bprm,
return 0;
bprm->argv0 = strndup_user(p, MAX_ARG_STRLEN);
- if (IS_ERR(bprm->argv0))
- return PTR_ERR(bprm->argv0);
+ if (IS_ERR(bprm->argv0)) {
+ int rc = PTR_ERR(bprm->argv0);
+
+ bprm->argv0 = NULL;
+ return rc;
+ }
return 0;
}
--
2.34.1
next reply other threads:[~2024-11-05 18:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-05 18:19 Kees Cook [this message]
2024-11-05 19:07 ` [PATCH] exec: NULL out bprm->argv0 when it is an ERR_PTR Tycho Andersen
2024-11-06 8:22 ` Kirill A. Shutemov
2024-11-06 9:39 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241105181905.work.462-kees@kernel.org \
--to=kees@kernel.org \
--cc=brauner@kernel.org \
--cc=ebiederm@xmission.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com \
--cc=tandersen@netflix.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zbyszek@in.waw.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.