Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5543303pxb; Wed, 26 Jan 2022 14:37:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyaq04KK675PK7dE8Cq7cwCvXVjsY3WOKCa8NiLLt+uw+SKUtQm1OhHrCwG6u6MHQRKantw X-Received: by 2002:a17:907:608f:: with SMTP id ht15mr729827ejc.498.1643236627994; Wed, 26 Jan 2022 14:37:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643236627; cv=none; d=google.com; s=arc-20160816; b=o1TZdF0jumPrzxWP6i3xRvHbR//8wHNhtvwuaLmPzFs06wjbp7Nh3nsM1x0thpN3Be 9JGZ9yKeUNOxjfTaP522pTE1R8QZEyQEGER/L9/4I25LggkC0FcFg32UxyjTSKJmXZko J7kYzP6NETGRFm4GsHrnFl0wImLDBDd/LPHyp+0TL3qL/n0YVe12px8jSAm0unpO0Xbm tTzovSjcAMRrl42oPjRAlJuESkg8gimaPSv60y8dM9NhK4ZlNfWf+fFmi3MrrJlNpi12 9jgWu84SkxAsXrvlo5oJTAhhwvOLXJQlqbo7pi4ergylB4ph1coV3gnODkajETA9s7p+ jTXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:message-id:in-reply-to :subject:cc:to:from:date:dkim-signature; bh=y9iI+CVLnVXjdNznvrPwXzDGUnpcA6XGi2xfGVkViQc=; b=1KkOE7QMSl0WyUU4Nl4XHVwEq7UW4+usMOfONpUM8F6Bx+ZjvO9sjA5DbEPsWSioqC Mr0u9KqhVw7a+M9ThUZ/SZhZ0RMOvsMWu99sUPoIxHZEsIzPRQUDuzBn6Hoa+YeUEYwS ALGeAY5kq23WTagoiH4FECo9LW8E83T+bG5nnXNAJ+iOSCKOnq4hl+Y6qTV33+Msw9hC P4LBWJTZ0kEzqv32xInktaI+s/THlEVK58Ph0cbSwMa9xbbKjBnFRBW4pnC37EfA2I4w 6//BXCLgkfMY3gknjjle8w6J3E5PkaFtyD5MBkbxy4qpUFoxMQWxP2AdblkpmhugYsgd 7sTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dereferenced.org header.s=mailbun header.b=JORFdoWl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dereferenced.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id sg39si284335ejc.975.2022.01.26.14.36.42; Wed, 26 Jan 2022 14:37:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@dereferenced.org header.s=mailbun header.b=JORFdoWl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dereferenced.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230050AbiAZUKu (ORCPT + 99 others); Wed, 26 Jan 2022 15:10:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229849AbiAZUKr (ORCPT ); Wed, 26 Jan 2022 15:10:47 -0500 X-Greylist: delayed 5291 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 26 Jan 2022 12:10:47 PST Received: from mx1.mailbun.net (unknown [IPv6:2602:fd37:1::100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 321EDC06161C; Wed, 26 Jan 2022 12:10:47 -0800 (PST) Received: from [2607:fb90:d98b:8818:5079:94eb:24d5:e5c3] (unknown [172.58.104.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 4DF3211800C; Wed, 26 Jan 2022 20:10:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1643227846; bh=+H/DvSk/IDMcm2e2Srrq/HMQtbgbnKmI9XwR8jgMjOE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JORFdoWlf2WF3qjBxPNYoHqRnEh5VLWcUbW6x0KZfP9l3KzbHVTsW8L47G+wmuhy8 edQD1je4iZb9X+eb8XN1YpQ3tJJsnhIaUieieENCyGFoTTWuhJJfq9lEhJeBhDtGKL jy8xz0L05vMneRRN4LYvKKs5W1TC0w4EM9HlwcQHVybJXEqDthL15URDeyOKrOuBd+ PcqjNd0y1JjnFv826oKYesMh8vAfYW0jJRSBDjqKbLOyQqnZe+ZM0oVgeAmy7FI1u/ h4mdKfzfVV8H6gxVe+Owqd2tq9/2FQr0pum6b2q8zENwFDUBaKqaS32R5n6vdRgAAs fkYTsEeqn066g== Date: Wed, 26 Jan 2022 14:10:37 -0600 (CST) From: Ariadne Conill To: Kees Cook cc: Ariadne Conill , Michael Kerrisk , Matthew Wilcox , Christian Brauner , Rich Felker , Eric Biederman , Alexander Viro , linux-fsdevel@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] fs/binfmt_elf: Add padding NULL when argc == 0 In-Reply-To: <20220126175747.3270945-1-keescook@chromium.org> Message-ID: References: <20220126175747.3270945-1-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Wed, 26 Jan 2022, Kees Cook wrote: > Quoting Ariadne Conill: > > "In several other operating systems, it is a hard requirement that the > first argument to execve(2) be the name of a program, thus prohibiting > a scenario where argc < 1. POSIX 2017 also recommends this behaviour, > but it is not an explicit requirement[1]: > > The argument arg0 should point to a filename string that is > associated with the process being started by one of the exec > functions. > ... > Interestingly, Michael Kerrisk opened an issue about this in 2008[2], > but there was no consensus to support fixing this issue then. > Hopefully now that CVE-2021-4034 shows practical exploitative use[3] > of this bug in a shellcode, we can reconsider." > > An examination of existing[4] users of execve(..., NULL, NULL) shows > mostly test code, or example rootkit code. While rejecting a NULL argv > would be preferred, it looks like the main cause of userspace confusion > is an assumption that argc >= 1, and buggy programs may skip argv[0] > when iterating. To protect against userspace bugs of this nature, insert > an extra NULL pointer in argv when argc == 0, so that argv[1] != envp[0]. > > Note that this is only done in the argc == 0 case because some userspace > programs expect to find envp at exactly argv[argc]. The overlap of these > two misguided assumptions is believed to be zero. > > [1] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html > [2] https://bugzilla.kernel.org/show_bug.cgi?id=8408 > [3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt > [4] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 > > Reported-by: Ariadne Conill > Reported-by: Michael Kerrisk > Cc: Matthew Wilcox > Cc: Christian Brauner > Cc: Rich Felker > Cc: Eric Biederman > Cc: Alexander Viro > Cc: linux-fsdevel@vger.kernel.org > Cc: stable@vger.kernel.org > Signed-off-by: Kees Cook Tested-by: Ariadne Conill It seems to work, but I still think bailing early with -EINVAL is a more reasonable position to take. For example, the following code, when used with BusyBox applets results in a segfault, as the multicall stub does not support scenarios where argc < 1: #include #include #include int main(int argc, const char **argv) { if (syscall(SYS_execve, "/bin/date", NULL, NULL) < 0) perror("execve"); return 0; } Ariadne