lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 1 Feb 2022 09:17:47 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Kees Cook' <>,
        Andrew Morton <>
CC:     Ariadne Conill <>,
        Michael Kerrisk <>,
        Matthew Wilcox <>,
        "Christian Brauner" <>,
        Rich Felker <>,
        Eric Biederman <>,
        Alexander Viro <>,
        "" <>,
        "" <>,
        "" <>,
        "" <>
Subject: RE: [PATCH] exec: Force single empty string when argv is empty

From: Kees Cook
> Sent: 01 February 2022 00:10
> While the initial code searches[6][7] turned up what appeared to be
> mostly corner case tests, trying to that just reject argv == NULL
> (or an immediately terminated pointer list) quickly started tripping[8]
> existing userspace programs.
> The next best approach is forcing a single empty string into argv and
> adjusting argc to match. The number of programs depending on argc == 0
> seems a smaller set than those calling execve with a NULL argv.

Has anyone considered using the pathname for argv[0]?
So converting:
	execl(path, NULL);
	execl(path, path, NULL);

I've not spotted any such suggestion.


Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists