Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5381411pxb; Wed, 26 Jan 2022 10:36:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJymIcMNC+c+KLX+HaVHSSmvPDle+c3IZuI594/Oay16K1+IavQp+Dyjyh7l2cpMgqmbeZ2S X-Received: by 2002:a17:907:7246:: with SMTP id ds6mr90019ejc.212.1643222187592; Wed, 26 Jan 2022 10:36:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643222187; cv=none; d=google.com; s=arc-20160816; b=mywwHvFRgy5Tu83H1lOBmYbq8ZyaLPjLTARL+BDs21mBWt8PlwrojslsAbScWyOqFn R/hym9Ywb0f5q9Oh6pY6Fe3g9Xer3Texkn+KkAvj9rmpUUnsnIcljI5lGtIPJdr4nrkl RNagA0q2tTosA6ygwHyyqLR1WTzlt0TTIZxzTazvcCjn/fDu6kwyUu9QI8TXVdGvc5jC QbrrSj1lGfuNWoFWaM9Z0U6qwvw415PCN51/+Lqce+cWB6eIYql31imzDMQ+i1sYoMCx CEzNDN2g3DRFyoLEL+Nk+1Q88Gpy8+OrGaxFr+KuyIFD080+luZppei7kkWYamC/4Mvg CUAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=2YnTwRaMx8JU0PNrljy8h4KnVeiA3jQpkJq0s38N0+Y=; b=S2cBSd6n6tp1ZRpeHeOzq+O4qKR5nMnTjHFMvVQS6YqaTd/qF063K2h6YwZM2k0dQt wqRAYSodtwtdeAA31IraeEXP0kFfNayZ5oQV6L+F6rtqtttnyC/rlgd97WxYfGXrEAR8 /vdyfHRMY2pww8fit/Tf7EkZFHJ57cvUKQX54WdQ1ifHiSBlSHiXVrbxi1EpjyFlfxG4 YgPMGhfPjbBZxGlNNErwyiM0o0idyGXZFg6SrU1Er0eGOMZUuRYqWxOr0dsqBLu+dQ+k BmQ3c7YWYw5bBkk3gKNmImRKcV9GlMqzO0+LX4xav4W2WmfWZCVBCx1ke4aYGXNzp0xt IL5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dereferenced.org header.s=mailbun header.b=FxokfEp1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dereferenced.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 13si6318459ejj.673.2022.01.26.10.35.59; Wed, 26 Jan 2022 10:36:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@dereferenced.org header.s=mailbun header.b=FxokfEp1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dereferenced.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233874AbiAZEsz (ORCPT + 99 others); Tue, 25 Jan 2022 23:48:55 -0500 Received: from mx1.mailbun.net ([170.39.20.100]:35952 "EHLO mx1.mailbun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232432AbiAZEsy (ORCPT ); Tue, 25 Jan 2022 23:48:54 -0500 X-Greylist: delayed 540 seconds by postgrey-1.27 at vger.kernel.org; Tue, 25 Jan 2022 23:48:54 EST Received: from localhost.localdomain (unknown [170.39.20.82]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 028D1E03DA; Wed, 26 Jan 2022 04:39:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1643171994; bh=4nnMnUbFTs6hDVYWjYDILAGkt7JwLNkIScd3QeqynKQ=; h=From:To:Cc:Subject:Date; b=FxokfEp1KrENkBXoKKat/N3TxFAT8EUg0Itzt1xhLib2W78Jy8LiUL6GDAz7SBR0r fA9Ab1JA/Ha0HtR7rOpoosDLiISo/89ohP+FUup6oakR05Dbq5mC66feA17S5QvUkM 83bTS/FWSP2WeNGEUNHIs/OcL35dZ+qmV0WEI42LXIt22PKzC5P8KImAgxfRLoGoEG JMYw0NQxYuhums0whoLe3lZa+t1m+1WGPiJ2O9ai8fzKxCSOFbR3TipfNlx+MyZThJ L+wOfUEhbnzxjybrZ9pu2YLvhHpELTulBCUtdwkWc38wmkxTU9LR+R+bPYuThmgdru kKBLKQOcnYRkA== From: Ariadne Conill To: linux-kernel@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, Eric Biederman , Kees Cook , Alexander Viro , Ariadne Conill Subject: [PATCH] fs/exec: require argv[0] presence in do_execveat_common() Date: Wed, 26 Jan 2022 04:39:47 +0000 Message-Id: <20220126043947.10058-1-ariadne@dereferenced.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The first argument to argv when used with execv family of calls is required to be the name of the program being executed, per POSIX. By validating this in do_execveat_common(), we can prevent execution of shellcode which invokes execv(2) family syscalls with argc < 1, a scenario which is disallowed by POSIX, thus providing a mitigation against CVE-2021-4034 and similar bugs in the future. The use of -EFAULT for this case is similar to other systems, such as FreeBSD and OpenBSD. Interestingly, Michael Kerrisk opened an issue about this in 2008, but there was no consensus to support fixing this issue then. Hopefully now that CVE-2021-4034 shows practical exploitative use of this bug in a shellcode, we can reconsider. Signed-off-by: Ariadne Conill --- fs/exec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index 79f2c9483302..de0b832473ed 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1897,8 +1897,10 @@ static int do_execveat_common(int fd, struct filename *filename, } retval = count(argv, MAX_ARG_STRINGS); - if (retval < 0) + if (retval < 1) { + retval = -EFAULT; goto out_free; + } bprm->argc = retval; retval = count(envp, MAX_ARG_STRINGS); -- 2.34.1