Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1191196imj; Thu, 14 Feb 2019 02:43:16 -0800 (PST) X-Google-Smtp-Source: AHgI3IabmUdHbXVsprY7vMQp5DMY52KoNejsOA/+RkgVgvw3nnM7wzZUXRhhV737QPSdLA54T5MC X-Received: by 2002:a63:c042:: with SMTP id z2mr3090033pgi.307.1550140996619; Thu, 14 Feb 2019 02:43:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550140996; cv=none; d=google.com; s=arc-20160816; b=fmYhQIHVi8li6VasEkae4+jaFKNOAT/skCAA6nLi6aYfD3OIO71E4eCOdIfUdsIMN8 lkRBi1qp17RF31meFFqMe8e1biXAxaH/0oknNqPMXGLrMe+r7ms7E20quCkpdu8BjCco GWxfMlWChYrMjykUJ7nJrDRbUXffis0HLM9X+GZk6Q5Pegq/D8gQsRr5LULYe95IylN9 ScVoAvH9U+0dz3Bc7ttYJhI5CbAgwxzUEBbIx3LITRlY3JXqSHCor9COcGQ1mBtc6Bp5 Mv1OWq0PmaQwsFlb3pW/IEVH4j1mxDFUNSsK8PFzeCWrgsGqv2nBDlIwV28TAWZzXzbN jJYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature; bh=oz7mEj1PyPdx47Z542OOOgMZTRRN8i/r2FlwV9qjH0c=; b=J3SpJ6F0+YUbG48B3ey5LlZM7I675ULY4973v1fkp2z87AK5wzBMP4pK194yi+IR6f 1RhHfoFMLEfgm3ateiAjbSTsR9b84/s79GOaBTZvjvr5Fmh0pF+mMcIDHMrt5XBEti2b DjgP5ufOYqriVE6YIKncTm/xVmpKgdZQXyPOfHMoxI3AcEHgdkkeb9KPYtfg2bfrUGOj I0oVMaTFkGvoVaqu5e0VfSqbl9bjxcMPJwpDvHtF+hA1bbTq9Ukq+WtwiK8gKsXbN+Yd VkQPVRQBTUFRwxNyRn+FkzpUA3LJ+fN1JI5f0W6ZLf1nzHDkDl0vR1lIgHWgy5UidBtg wheA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dionne-riel-com.20150623.gappssmtp.com header.s=20150623 header.b=P+6OmcYb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j19si1154844pfn.100.2019.02.14.02.43.00; Thu, 14 Feb 2019 02:43:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@dionne-riel-com.20150623.gappssmtp.com header.s=20150623 header.b=P+6OmcYb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2395318AbfBNDQR (ORCPT + 99 others); Wed, 13 Feb 2019 22:16:17 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:40514 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390020AbfBNDQQ (ORCPT ); Wed, 13 Feb 2019 22:16:16 -0500 Received: by mail-lj1-f195.google.com with SMTP id z25-v6so3897295ljk.7 for ; Wed, 13 Feb 2019 19:16:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dionne-riel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=oz7mEj1PyPdx47Z542OOOgMZTRRN8i/r2FlwV9qjH0c=; b=P+6OmcYbYKJ57aI0Qdfe6Jdd4pzvGMItLtYB0gXWsrsFzA22IBrKDyqmvsmJjLbM3n 4Rb6n+0ZnUYYfj9moaVWffpFJfjSrKSNvXyspj83AKBn8LC4SPgKs+lxsEUa41e2lHY0 SoNtAburXbjTibaAXd9qMDHA3HqyFy+uo/gIUHxpwEcERBS4t+RIn5m12RiqfW1nNTtP 1GIt8zua8Vf/5SfnfTixlHaGANt7iXcH4lH3wVF0J0UJb9zP2kTal4bJhl8eDLjFv2SV Fbg3i1ObNMn8SCuFx8biFN0JvL/AGfsIcDKjd490H2XCjC452UyHAid9orQLLRLsCfM4 tqAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=oz7mEj1PyPdx47Z542OOOgMZTRRN8i/r2FlwV9qjH0c=; b=SzPgaLIn6VDaWFI5zcmHatQ9CCU7+xp/Rx2VTL1QnKM3yE69QueTIOCnJd6KV39rwJ b3QeGYNmTZ+0O6uC9htYry235Zw8wxTec7Y5P4AgGzgajs6umYD+93vQHL1Gv/V6SR2L WVb0cBfhYacq+ZCd+31cxUtGbmokZL1lD//QaW5i1zp2vI1rEYsgxhV9srZ/1Fpzx0S4 IIZawkGofsv68UR/75Xmvg6OkJQGVpUZn0O3dFkhHq05sTNSqnNSWcfv4yh5hGkbe2s8 PwGx/uWW2581j6MsMFWrLvfKg1rHzRxuWO2Zupcu22+WG4HQAZDRAV5OgZBUN7ADQV3/ +E5Q== X-Gm-Message-State: AHQUAuY3h4dXcpBlvpbtvred3SRS4NY2+PnZupwcrEkM1aHOxbI1wdTT GSxanZPiEiryIXQaHWjckl2EkdLMwPaoMJ97WWB+OQ== X-Received: by 2002:a2e:4601:: with SMTP id t1-v6mr808018lja.111.1550114174813; Wed, 13 Feb 2019 19:16:14 -0800 (PST) MIME-Version: 1.0 Received: by 2002:ab3:5612:0:0:0:0:0 with HTTP; Wed, 13 Feb 2019 19:16:13 -0800 (PST) In-Reply-To: References: From: Samuel Dionne-Riel Date: Wed, 13 Feb 2019 22:16:13 -0500 Message-ID: Subject: Re: Userspace regression in LTS and stable kernels To: Kees Cook Cc: Richard Weinberger , LKML , Linus Torvalds , Graham Christensen , Oleg Nesterov , Michal Hocko , Andrew Morton Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/02/2019, Kees Cook wrote: > The original problem that was trying to be fixed here was to disallow > execution of a truncated interpreter path. It was assumed argument > truncate was just as bad, but it's not, since the interpreter can (and > does!) re-read the script to get the right arguments. > > So, I've sent a fix-up patch that should disallow the path truncation, > but pass through the argument truncation as before. This passes all > the tests I built: > > [...] > > Are you able to test the patch and report back? The patch works as implemented. It also fixes the specific regression which affected NixOS. This was verified to work once applied to 4.14 in our testing infra. Confidence is high enough that I don't think I need to test other LTS/stable versions. Though, I have one minor doubt in mind. Looking at man 2 execve, ENOEXEC An executable is not in a recognized format, is for the wrong architecture, or has some other format error that means it cannot be executed. I can see "or some other format error" could be misapplied to mean ENOEXEC on failure to read the shebang, but I'm thinking it's kinda abusing the meaning behind the failure. The format was recognized, as a shebang, but it was impossible to use the shebang. If I were to misuse an error code, I would probably misuse ENAMETOOLONG. I'm still doubting ENOEXEC is safe to not cause issues since a truncated interpreter name (not shebang) will end up with a different behaviour than expected in the exec(3) userspace scenario, where with ENOEXEC the shell will be used instead of failing. Though, this is a different face to the same root regression reported here; our initial issue with the regression can be deemed fully resolved with the patch. In all cases, I think the man page will need an update to describe the new failure mode with truncated shebangs, and describe the non-failure mode when truncating arguments. > Thanks again for bringing this to our attention! Thanks for the quick turnaround! --=20 =E2=80=94 Samuel Dionne-Riel