| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <39480927-B17F-4573-B335-7FCFD81AB997@chromium.org>
Date: Tue, 25 Jan 2022 23:28:04 -0800
From: Kees Cook <keescook@...omium.org>
To: Ariadne Conill <ariadne@...eferenced.org>
CC: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Eric Biederman <ebiederm@...ssion.com>,
Alexander Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH] fs/exec: require argv[0] presence in do_execveat_common()
On January 25, 2022 10:42:41 PM PST, Kees Cook <keescook@...omium.org> wrote:
>On Wed, Jan 26, 2022 at 04:39:47AM +0000, Ariadne Conill wrote:
>> The first argument to argv when used with execv family of calls is
>> required to be the name of the program being executed, per POSIX.
>>
>> By validating this in do_execveat_common(), we can prevent execution
>> of shellcode which invokes execv(2) family syscalls with argc < 1,
>> a scenario which is disallowed by POSIX, thus providing a mitigation
>> against CVE-2021-4034 and similar bugs in the future.
>>
>> The use of -EFAULT for this case is similar to other systems, such
>> as FreeBSD and OpenBSD.
>>
>> Interestingly, Michael Kerrisk opened an issue about this in 2008,
For v2 please include a URL for this. I assume you mean this one?
https://bugzilla.kernel.org/show_bug.cgi?id=8408
>> but there was no consensus to support fixing this issue then.
>> Hopefully now that CVE-2021-4034 shows practical exploitative use
>> of this bug in a shellcode, we can reconsider.
>>
>> Signed-off-by: Ariadne Conill <ariadne@...eferenced.org>
>
>Yup. Agreed. For context:
>https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
>
>> ---
>> fs/exec.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/exec.c b/fs/exec.c
>> index 79f2c9483302..de0b832473ed 100644
>> --- a/fs/exec.c
>> +++ b/fs/exec.c
>> @@ -1897,8 +1897,10 @@ static int do_execveat_common(int fd, struct filename *filename,
>> }
>>
>> retval = count(argv, MAX_ARG_STRINGS);
>> - if (retval < 0)
>> + if (retval < 1) {
>> + retval = -EFAULT;
>> goto out_free;
>> + }
Actually, no, this needs to be more carefully special-cased to avoid masking error returns from count(). (e.g. -E2BIG would vanish with this patch.)
Perhaps just add:
if (retval == 0) {
retval = -EFAULT;
goto out_free;
}
>
>There shouldn't be anything legitimate actually doing this in userspace.
I spoke too soon.
Unfortunately, this is not the case:
https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0
Lots of stuff likes to do:
execve(path, NULL, NULL);
Do these things depend on argc==0 would be my next question...
>
>-Kees
>
>> bprm->argc = retval;
>>
>> retval = count(envp, MAX_ARG_STRINGS);
>> --
>> 2.34.1
>>
>
--
Kees Cook
Powered by blists - more mailing lists