Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1811195pxb; Wed, 2 Feb 2022 13:04:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJxNz3UQuHA3dSF5Q8UlD55eGWnMIbMmNG1QfNdZx5FHL1667iQFoae1Hb5eDfHypTqqLcKP X-Received: by 2002:a17:902:ced2:: with SMTP id d18mr32795570plg.21.1643835868350; Wed, 02 Feb 2022 13:04:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643835868; cv=none; d=google.com; s=arc-20160816; b=RKRxb77WTDPQcVi4XFk0V0b3rgz4NNkIb0OoRrz/NgqD/XBm/gT6DG/LxMKqqIgG6c 3jnLhap+SrT0v32VL94w5Peu3AzzM0zOxljtEslxEeAQ/q3qOfuOfFDHly7aynTLMEuw fCP1SNl2V28s6czl7sT8TQbGJlSCu2TGLxjwNdgoj2mbhWlh/xYnJMoLOe9p7JgHhaBh ETbSBMjbhsGpBkOSXRNOnrvhsIqrPlLme8IIKEy70mU+wk8+jIb5++DuWpqhSJBX8lZX aYRRBPWZs4N+Nh8VVJHSbiWmssD2F2apTLXXv+Qb4LPx8RSTn1hVUYyolBWKrieIBXic cDUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=aukpW1iZ03y9P5Ftl5wjItYFQL/CIJ9WL1xn7dY1lMc=; b=OfFxGc3anStV9YbIC6GI6+w4JZPaQga/BPQszqGdiQ1lLqKc6QPKleafdmoQTUXUuF diqV4V8n957NTO3T/RzD5IfhyoaDpATQNqD0IW6M2B7VQsPAk1XSikVcOt9rjgJJq67H DUUqfCuYNgWNzcnCxGNHjNgmkk6RjlH6txR4BlSvEfs+UmpihwD8YUY7AmYKkr2c4Fjh D0FHKN3Ew70pW6X56ebhp1knGK5pYZCRhunsOW6GeWeiEupHpM2X+i/t9R94Slqc8CaS 68fI8snGfyFIpsTXuCvxQqAUaPgGAxC65I/N9q3rVYIjkLneI6cb69G+72S+fDr51IFG KZbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="d5CHA/Ar"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e10si9005486pgc.264.2022.02.02.13.04.15; Wed, 02 Feb 2022 13:04:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="d5CHA/Ar"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242377AbiBBTDw (ORCPT + 99 others); Wed, 2 Feb 2022 14:03:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231486AbiBBTDv (ORCPT ); Wed, 2 Feb 2022 14:03:51 -0500 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A085CC06173B for ; Wed, 2 Feb 2022 11:03:51 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id c3so68731pls.5 for ; Wed, 02 Feb 2022 11:03:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=aukpW1iZ03y9P5Ftl5wjItYFQL/CIJ9WL1xn7dY1lMc=; b=d5CHA/ArAtV/xPhLL2/JhkAe37YFSe43ehxtmA5SCeVDr410kShpQ5JnPBswiRQVcy RmIrCXJZy1n4FE4WROjypPuHYpeubia5+50oO3H4OlzDzlKappn+UlQ9qzPQBMnsVTOP Quueb5szhF/BxSK2uR+7g0OBW6XEC6M1Ihvr4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=aukpW1iZ03y9P5Ftl5wjItYFQL/CIJ9WL1xn7dY1lMc=; b=jraWxISQfzj4dsos5rLjUTZxQiB1KsyMn07ZAqR9O8ESGuSF7yNTwvFG9Hj2UTfk3q 8jU5eehOPRc0308R+GqoUEhrYJaKuA0EC5WX3B5iFcdA2tLOQbvmf8Z1fVxZAecCjoxJ hQU8hvj3XdvQkQPBh6Ir7+xV1g9Yt2sHClT/ORatoFDuyefTLZNk9wjN089GEIUPrTbU kJV6gBszcJH/97wDD1h/IDclL4dbmjpo/8OQnbycXfSOsFPYK9mLppCprJKPrWitiv7s YTHhG+sgTXjDwuWX4qHbUeCW97Y7e5IM7cS1a+2GAlNd8w7aE6IvwAB5aVvIA/nEeIaB JOfA== X-Gm-Message-State: AOAM532ZmWbHadg/nk7R3o5xRXY1ICOcIMR72WQr++Jpb/XBwYDN4WIE u0h8itc3WJ50U5AJFW3+3lgcpA== X-Received: by 2002:a17:90a:be15:: with SMTP id a21mr9663038pjs.36.1643828631016; Wed, 02 Feb 2022 11:03:51 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y191sm25813825pfb.114.2022.02.02.11.03.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Feb 2022 11:03:50 -0800 (PST) Date: Wed, 2 Feb 2022 11:03:49 -0800 From: Kees Cook To: Rich Felker Cc: Andrew Morton , Ariadne Conill , Michael Kerrisk , Matthew Wilcox , Christian Brauner , Eric Biederman , Alexander Viro , linux-fsdevel@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] exec: Force single empty string when argv is empty Message-ID: <202202021056.ED125C0346@keescook> References: <20220201000947.2453721-1-keescook@chromium.org> <20220201145324.GA29634@brightrain.aerifal.cx> <1A24DA4E-2B15-4A95-B2A1-F5F963E0CD6F@chromium.org> <20220202171218.GQ7074@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220202171218.GQ7074@brightrain.aerifal.cx> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 02, 2022 at 12:12:19PM -0500, Rich Felker wrote: > On Wed, Feb 02, 2022 at 07:50:42AM -0800, Kees Cook wrote: > > On February 1, 2022 6:53:25 AM PST, Rich Felker wrote: > > >From #musl: > > > > > > kees: shouldn't the min(bprm->argc, 1) be max(...) in your patch? > > > > Fix has already been sent, yup. > > > > >I'm pretty sure without fixing that, you're introducing a giant vuln > > >here. > > > > I wouldn't say "giant", but yes, it weakened a defense in depth for > > avoiding high stack utilization. > > I thought it was deciding the amount of memory to allocate/reserve for > the arg slots, but based on the comment it looks like it's just a way > to fail early rather than making the new process image fault later if > they don't fit. Right. > > > I believe this is the second time a patch attempting to fix this > > >non-vuln has proposed adding a new vuln... > > > > Mistakes happen, and that's why there is review and testing. Thank > > you for being part of the review process! :) > > I know, and I'm sorry for being a bit hostile over it, and for jumping > the gun about the severity. I just get frustrated when I see a rush to > make changes over an incidental part of a popularized vuln, with > disproportionate weight on "doing something" and not enough on being > careful. Sure, I can see it looks that way. My sense of urgency on this in particular is that we're early in the development cycle, and it's an ABI-breaking change, so I want to maximize how much time it has to get tested out in real workloads. (i.e. we've now seen that just rejecting NULL argv is likely too painful, etc.) All that said, I regularly bemoan the lack of sufficient regression tests for execve() and the binfmt_*.c loaders. I've written a couple, and so have others, but what I really want is a library of "binary that got broken by exec change" for doing regression testing against. That gets hampered by both size, redistribution issues, etc, so I've wanted to have minimal reproducers for each, but creating those take time, etc, etc. (And you'll note I wrote[1] a test for this particular behavior, because I'm trying to avoid falling further behind in test coverage.) I would _love_ it if someone had the time and attention to go through all the past binaries and make a regression test series. :) -Kees [1] https://lore.kernel.org/linux-hardening/20220201011637.2457646-1-keescook@chromium.org/ -- Kees Cook