lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025022629-CVE-2022-49264-ca90@gregkh>
Date: Wed, 26 Feb 2025 02:57:49 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49264: exec: Force single empty string when argv is empty

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

exec: Force single empty string when argv is empty

Quoting[1] Ariadne Conill:

"In several other operating systems, it is a hard requirement that the
second argument to execve(2) be the name of a program, thus prohibiting
a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
but it is not an explicit requirement[2]:

    The argument arg0 should point to a filename string that is
    associated with the process being started by one of the exec
    functions.
...
Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
but there was no consensus to support fixing this issue then.
Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
of this bug in a shellcode, we can reconsider.

This issue is being tracked in the KSPP issue tracker[5]."

While the initial code searches[6][7] turned up what appeared to be
mostly corner case tests, trying to that just reject argv == NULL
(or an immediately terminated pointer list) quickly started tripping[8]
existing userspace programs.

The next best approach is forcing a single empty string into argv and
adjusting argc to match. The number of programs depending on argc == 0
seems a smaller set than those calling execve with a NULL argv.

Account for the additional stack space in bprm_stack_limits(). Inject an
empty string when argc == 0 (and set argc = 1). Warn about the case so
userspace has some notice about the change:

    process './argc0' launched './argc0' with NULL argv: empty string added

Additionally WARN() and reject NULL argv usage for kernel threads.

[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/
[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[5] https://github.com/KSPP/linux/issues/176
[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0
[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0
[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/

The Linux kernel CVE team has assigned CVE-2022-49264 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.9.317 with commit 41f6ea5b9aaa28b740d47ffe995a5013211fdbb0
	Fixed in 4.14.282 with commit 98e0c7c702894987732776736c99b85ade6fba45
	Fixed in 4.19.246 with commit b50fb8dbc8b81aaa126387de428f4c42a7c72a73
	Fixed in 5.4.197 with commit 1fe82bfd9e4ce93399d815ca458b58505191c3e8
	Fixed in 5.10.110 with commit 27a6f495b63a1804cc71be45911065db7757a98c
	Fixed in 5.15.33 with commit 1290eb4412aa0f0e9f3434b406dc8e255da85f9e
	Fixed in 5.16.19 with commit a8054d3fa5deb84b215d6be1b910a978f3cb840d
	Fixed in 5.17.2 with commit cfbfff8ce5e3d674947581f1eb9af0a1b1807950
	Fixed in 5.18 with commit dcd46d897adb70d63e025f175a00a89797d31a43

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49264
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/exec.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/41f6ea5b9aaa28b740d47ffe995a5013211fdbb0
	https://git.kernel.org/stable/c/98e0c7c702894987732776736c99b85ade6fba45
	https://git.kernel.org/stable/c/b50fb8dbc8b81aaa126387de428f4c42a7c72a73
	https://git.kernel.org/stable/c/1fe82bfd9e4ce93399d815ca458b58505191c3e8
	https://git.kernel.org/stable/c/27a6f495b63a1804cc71be45911065db7757a98c
	https://git.kernel.org/stable/c/1290eb4412aa0f0e9f3434b406dc8e255da85f9e
	https://git.kernel.org/stable/c/a8054d3fa5deb84b215d6be1b910a978f3cb840d
	https://git.kernel.org/stable/c/cfbfff8ce5e3d674947581f1eb9af0a1b1807950
	https://git.kernel.org/stable/c/dcd46d897adb70d63e025f175a00a89797d31a43

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ