Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5617384pxb; Wed, 26 Jan 2022 16:38:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJzmBbLbEeKtfNTx7Cx9h64NaBQI6qIkfpxY1pGXysYKhHfOKWoFFbwqcCmpCz+tRlDve8iO X-Received: by 2002:a62:2982:: with SMTP id p124mr1245582pfp.53.1643243928687; Wed, 26 Jan 2022 16:38:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643243928; cv=none; d=google.com; s=arc-20160816; b=mswl77dYfbqCYQkveJL9on40dHLjy15JgIegDd1hrxnBVFIpr+bsPQqAq2o3HqK+xI fLLhrcwYmJhjdI/kq2oDFup32zIknojCLYWuJjevPp9b267xx4gvwVvUXBUX/cRR2eKd f7fxv+VwU27jJ1AKq6qTry9dpjgyAhP/WFUC5LsWBeKrUxyAZ9LRzq1YHzwDPM5Kgk/d JBqQVxn+wXq348sM275Oi3e66izNCOrJ/GtgI0V0miXfIJi25q/YTPP7ab7BomcZIvHH zaW94jdu/mJcQ1i3QNUc6HNmb0O3uUP/RpouzgE2NM6ASH4FdeW24TRQPWtvxeNA0IFz JB2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=1cNm1Mt5JKjJcbSE9YAwXDibEEa5TCxM7FHSvnIhbGM=; b=xuceLmQ5b+dTzrGTSOuaE3dR7rFagTdHmyFeNSCKqVkLF/ztTrjdq8Kt3U43TPYV/o BXWL/laDIuAtVmWnDa5LnVyr82QJC99cvvVB/BNZigeHtmSZsGH99d6+v0Uy/AAHQdh1 NZqsHu+1WFa60GIKb6zzM5xej9c0a2jASbHSER5sBzWavySE/pShMWEmhtmSbaWQ9S7V Fc/Mbv6O2xIeqTHTKZZMIqi+IvaElsT4udutSMnD5+rY2bhla4Doi3g21hSmobK7/45Q myMebRxPBYHUQD1vIA03arUeREekOsy4//YfCPU488QdfhIxnoMs02OapiPeW9cBlHvA 8/XA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b20si4219744pjp.15.2022.01.26.16.38.35; Wed, 26 Jan 2022 16:38:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231414AbiAZUwu (ORCPT + 99 others); Wed, 26 Jan 2022 15:52:50 -0500 Received: from brightrain.aerifal.cx ([216.12.86.13]:54198 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231388AbiAZUwt (ORCPT ); Wed, 26 Jan 2022 15:52:49 -0500 Date: Wed, 26 Jan 2022 15:52:48 -0500 From: Rich Felker To: Kees Cook Cc: Ariadne Conill , Michael Kerrisk , Matthew Wilcox , Christian Brauner , Eric Biederman , Alexander Viro , linux-fsdevel@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] fs/binfmt_elf: Add padding NULL when argc == 0 Message-ID: <20220126205247.GA9263@brightrain.aerifal.cx> References: <20220126175747.3270945-1-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220126175747.3270945-1-keescook@chromium.org> User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 26, 2022 at 09:57:47AM -0800, Kees Cook wrote: > Quoting Ariadne Conill: > > "In several other operating systems, it is a hard requirement that the > first argument to execve(2) be the name of a program, thus prohibiting > a scenario where argc < 1. POSIX 2017 also recommends this behaviour, > but it is not an explicit requirement[1]: > > The argument arg0 should point to a filename string that is > associated with the process being started by one of the exec > functions. > ... > Interestingly, Michael Kerrisk opened an issue about this in 2008[2], > but there was no consensus to support fixing this issue then. > Hopefully now that CVE-2021-4034 shows practical exploitative use[3] > of this bug in a shellcode, we can reconsider." > > An examination of existing[4] users of execve(..., NULL, NULL) shows > mostly test code, or example rootkit code. While rejecting a NULL argv > would be preferred, it looks like the main cause of userspace confusion > is an assumption that argc >= 1, and buggy programs may skip argv[0] > when iterating. To protect against userspace bugs of this nature, insert > an extra NULL pointer in argv when argc == 0, so that argv[1] != envp[0]. > > Note that this is only done in the argc == 0 case because some userspace > programs expect to find envp at exactly argv[argc]. The overlap of these > two misguided assumptions is believed to be zero. > > [1] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html > [2] https://bugzilla.kernel.org/show_bug.cgi?id=8408 > [3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt > [4] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 > > Reported-by: Ariadne Conill > Reported-by: Michael Kerrisk > Cc: Matthew Wilcox > Cc: Christian Brauner > Cc: Rich Felker > Cc: Eric Biederman > Cc: Alexander Viro > Cc: linux-fsdevel@vger.kernel.org > Cc: stable@vger.kernel.org > Signed-off-by: Kees Cook > --- > fs/binfmt_elf.c | 10 +++++++++- > fs/exec.c | 7 ++++++- > 2 files changed, 15 insertions(+), 2 deletions(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index 605017eb9349..e456c48658ad 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -297,7 +297,8 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, > ei_index = elf_info - (elf_addr_t *)mm->saved_auxv; > sp = STACK_ADD(p, ei_index); > > - items = (argc + 1) + (envc + 1) + 1; > + /* Make room for extra pointer when argc == 0. See below. */ > + items = (min(argc, 1) + 1) + (envc + 1) + 1; > bprm->p = STACK_ROUND(sp, items); > > /* Point sp at the lowest address on the stack */ > @@ -326,6 +327,13 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, > > /* Populate list of argv pointers back to argv strings. */ > p = mm->arg_end = mm->arg_start; > + /* > + * Include an extra NULL pointer in argv when argc == 0 so > + * that argv[1] != envp[0] to help userspace programs from > + * mishandling argc == 0. See fs/exec.c bprm_stack_limits(). > + */ > + if (argc == 0 && put_user(0, sp++)) > + return -EFAULT; > while (argc-- > 0) { > size_t len; > if (put_user((elf_addr_t)p, sp++)) > diff --git a/fs/exec.c b/fs/exec.c > index 79f2c9483302..0b36384e55b1 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -495,8 +495,13 @@ static int bprm_stack_limits(struct linux_binprm *bprm) > * the stack. They aren't stored until much later when we can't > * signal to the parent that the child has run out of stack space. > * Instead, calculate it here so it's possible to fail gracefully. > + * > + * In the case of argc < 1, make sure there is a NULL pointer gap > + * between argv and envp to ensure confused userspace programs don't > + * start processing from argv[1], thinking argc can never be 0, > + * to block them from walking envp by accident. See fs/binfmt_elf.c. > */ > - ptr_size = (bprm->argc + bprm->envc) * sizeof(void *); > + ptr_size = (min(bprm->argc, 1) + bprm->envc) * sizeof(void *); > if (limit <= ptr_size) > return -E2BIG; > limit -= ptr_size; > -- > 2.30.2 > This patch is not just wrong, but extremely dangerously wrong, to the point that it may make all suid-root binaries exploitable (at least dynamic linked ones). The ELF entry point contract is that argv+argc+1==envp, and in fact this is the "preferred" way of computing envp so as to avoid linear search over argv. In musl's dynamic linker we do exactly that; I'm not sure about glibc's. See: https://git.musl-libc.org/cgit/musl/tree/ldso/dynlink.c?id=v1.2.2#n1740 If argv[argc+1] wrongly contains a null pointer, semantically, that means the environment is empty and auxv starts at the next stack slot. It's an exercise for the reader to populate the environment in a way that this memory wrongly gets interpreted as a meaningful auxv. I'm not sure this is possible, but I wouldn't automatically rule it out. In short: YOU CANNOT CHANGE/BREAK CONTRACTS TO MITIGATE A VULN. Doing so just makes new vulns in the programs that were correct before. Silently replacing argc==0 with argc==1 and argv[0]=="" would be a safe variant of this, but I'm really in favor of just erroring out, but *only doing it when the exec is a privilege boundary* (suid/etc.) to minimize the chance of breaking software dependent on allowing argc==0. Rich