Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5617369pxb; Wed, 26 Jan 2022 16:38:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJztULN+5GXSOVYDxW81kiQKjEc5PrxwPADdFIJa4neuNr6gFOr8f6SkYhJryljVbkHceJVa X-Received: by 2002:a17:902:edd0:: with SMTP id q16mr1527524plk.170.1643243927936; Wed, 26 Jan 2022 16:38:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643243927; cv=none; d=google.com; s=arc-20160816; b=a+Usei9k5TM/BOP3aXvW4rtl/0WC7Sl2cV+ClvfV/Wb5bZGc7zwyK0Y+/zNfIiVq43 BmNN4mpHNeAoTU82EMukFY+8RkxSVDW7nj3le5JuzmwgehJOIWRwMHnSK0rlHHkJ9oub Pzdoixumcb8c5hhZmBZrjwNa6upoBoR0UAlGWvrTccOv9UJVCp16i8Ju/qMPE6ixJzY+ AcHj6CBadqaXQRtyzAjVzq2d5oxKezqszYrR5WEeM5Qprp1+wfZGdZFaFug1NUdZDsih 5C25rzrQvrum11e8+ZnB+JBBKJf1fVvw69mOLDtjqTUS1KFapxXYvnDiNJ7nxoOnKqMS Q9gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:message-id:in-reply-to :subject:cc:to:from:date:dkim-signature; bh=u2p9JA2MTr4/UUGs7mnTevwtbP7p1V5Qplvg6Rsxcj8=; b=ipc4GUrOox2CZL2W37Qv/oqzCtbHhZGGbtGAWcHHYIv2rdi9g08strbFOc8fBf3765 WY9E4JjBlAVy7SwRfVxF7Jwfg1HjIOGWjEVh/9CfZY2ppfvYxgCmGkwDsFRIuyYHvKZC 6hC2SF7B0pgg1VBLZk2vVEVySRYmchULPS+VSxF1c7p1F4j4BrrzQy1SKL5yn+5ShBT0 lLPyw2K3mVqGrA/mWvLmkt5jJL9M7JVh1z3Op/sreQFRUlyC4CEOlAGb6Ip/S+sGvgei IWsUNNaEs7hxjtxVG17BHJb6TCqUVX5YJJirOBnjGmiALK3rEC1327xckC4mENbB7zHa oGGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dereferenced.org header.s=mailbun header.b=J6Johoj5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dereferenced.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b21si804783pfv.180.2022.01.26.16.38.35; Wed, 26 Jan 2022 16:38:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@dereferenced.org header.s=mailbun header.b=J6Johoj5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dereferenced.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231304AbiAZUqY (ORCPT + 99 others); Wed, 26 Jan 2022 15:46:24 -0500 Received: from mx1.mailbun.net ([170.39.20.100]:42882 "EHLO mx1.mailbun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231284AbiAZUqX (ORCPT ); Wed, 26 Jan 2022 15:46:23 -0500 Received: from [2607:fb90:d98b:8818:5079:94eb:24d5:e5c3] (unknown [172.58.104.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 660281029F2; Wed, 26 Jan 2022 20:46:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1643229983; bh=F8wCk/NyUAzIdnRmsKCm4QEKnB2JLGsv/olNhoue6DY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=J6Johoj5XjsytkFMCIbO4nFebCWDZZDOaC/XOmNeRRdiJVaG6lVhJ4UvCylzXjEZM TrR/aUf6/EPqLcAKxp83hm25qMfiYI898ZPXqi5nUjAmLb4FAt55jxwkfjJ6+i4CDD owqe2wtKEOZqLsY5G0N6eVl39/XOMLuDjhuhsAg8wXnJou4QVnQ/tKgu3UdisThYPi jdqfyOkhYlo6bao36c9IDZ9c1p06iBVEEY6hs78OfNwsQ/ixKbHMZlU5cTrn0lcls4 3jnap/kbWuiizhpyn9Jp3NNDj+yMG6CWjuoWYhiTP+M33b+XHy3IzZp3/TfVJinMsc mNEdlWq3mpbVw== Date: Wed, 26 Jan 2022 14:46:15 -0600 (CST) From: Ariadne Conill To: Ariadne Conill cc: Kees Cook , Michael Kerrisk , Matthew Wilcox , Christian Brauner , Rich Felker , Eric Biederman , Alexander Viro , linux-fsdevel@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] fs/binfmt_elf: Add padding NULL when argc == 0 In-Reply-To: Message-ID: <4df29574-b147-d42d-45f5-a57082d6a2ed@dereferenced.org> References: <20220126175747.3270945-1-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Wed, 26 Jan 2022, Ariadne Conill wrote: > Hi, > > On Wed, 26 Jan 2022, Kees Cook wrote: > >> Quoting Ariadne Conill: >> >> "In several other operating systems, it is a hard requirement that the >> first argument to execve(2) be the name of a program, thus prohibiting >> a scenario where argc < 1. POSIX 2017 also recommends this behaviour, >> but it is not an explicit requirement[1]: >> >> The argument arg0 should point to a filename string that is >> associated with the process being started by one of the exec >> functions. >> ... >> Interestingly, Michael Kerrisk opened an issue about this in 2008[2], >> but there was no consensus to support fixing this issue then. >> Hopefully now that CVE-2021-4034 shows practical exploitative use[3] >> of this bug in a shellcode, we can reconsider." >> >> An examination of existing[4] users of execve(..., NULL, NULL) shows >> mostly test code, or example rootkit code. While rejecting a NULL argv >> would be preferred, it looks like the main cause of userspace confusion >> is an assumption that argc >= 1, and buggy programs may skip argv[0] >> when iterating. To protect against userspace bugs of this nature, insert >> an extra NULL pointer in argv when argc == 0, so that argv[1] != envp[0]. >> >> Note that this is only done in the argc == 0 case because some userspace >> programs expect to find envp at exactly argv[argc]. The overlap of these >> two misguided assumptions is believed to be zero. >> >> [1] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html >> [2] https://bugzilla.kernel.org/show_bug.cgi?id=8408 >> [3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt >> [4] >> https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 >> >> Reported-by: Ariadne Conill >> Reported-by: Michael Kerrisk >> Cc: Matthew Wilcox >> Cc: Christian Brauner >> Cc: Rich Felker >> Cc: Eric Biederman >> Cc: Alexander Viro >> Cc: linux-fsdevel@vger.kernel.org >> Cc: stable@vger.kernel.org >> Signed-off-by: Kees Cook > > Tested-by: Ariadne Conill > > It seems to work, but I still think bailing early with -EINVAL is a more > reasonable position to take. For example, the following code, when used with > BusyBox applets results in a segfault, as the multicall stub does not support > scenarios where argc < 1: > > #include > #include > #include > > int main(int argc, const char **argv) { > if (syscall(SYS_execve, "/bin/date", NULL, NULL) < 0) > perror("execve"); > return 0; > } > Further testing indicates that while things *mostly* work, it results in memory corruption in various tasks, for example, trying to build a new kernel hung, and the gcc process's name was a bunch of uninitialized memory. So, I don't think { NULL, NULL } is a good way to go. Ariadne