lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Feb 2022 09:17:47 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'Kees Cook' <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org> CC: Ariadne Conill <ariadne@...eferenced.org>, Michael Kerrisk <mtk.manpages@...il.com>, Matthew Wilcox <willy@...radead.org>, "Christian Brauner" <brauner@...nel.org>, Rich Felker <dalias@...c.org>, Eric Biederman <ebiederm@...ssion.com>, Alexander Viro <viro@...iv.linux.org.uk>, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>, "stable@...r.kernel.org" <stable@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org> Subject: RE: [PATCH] exec: Force single empty string when argv is empty From: Kees Cook > Sent: 01 February 2022 00:10 ... > While the initial code searches[6][7] turned up what appeared to be > mostly corner case tests, trying to that just reject argv == NULL > (or an immediately terminated pointer list) quickly started tripping[8] > existing userspace programs. > > The next best approach is forcing a single empty string into argv and > adjusting argc to match. The number of programs depending on argc == 0 > seems a smaller set than those calling execve with a NULL argv. Has anyone considered using the pathname for argv[0]? So converting: execl(path, NULL); into: execl(path, path, NULL); I've not spotted any such suggestion. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists