releases/4.19.246/exec-force-single-empty-string-when-argv-is-empty.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001
 From: Kees Cook <keescook@chromium.org>
 Date: Mon, 31 Jan 2022 16:09:47 -0800
 Subject: exec: Force single empty string when argv is empty

 From: Kees Cook <keescook@chromium.org>

 commit dcd46d897adb70d63e025f175a00a89797d31a43 upstream.

 Quoting[1] Ariadne Conill:

 "In several other operating systems, it is a hard requirement that the
 second argument to execve(2) be the name of a program, thus prohibiting
 a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
 but it is not an explicit requirement[2]:

     The argument arg0 should point to a filename string that is
     associated with the process being started by one of the exec
     functions.
 ...
 Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
 but there was no consensus to support fixing this issue then.
 Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
 of this bug in a shellcode, we can reconsider.

 This issue is being tracked in the KSPP issue tracker[5]."

 While the initial code searches[6][7] turned up what appeared to be
 mostly corner case tests, trying to that just reject argv == NULL
 (or an immediately terminated pointer list) quickly started tripping[8]
 existing userspace programs.

 The next best approach is forcing a single empty string into argv and
 adjusting argc to match. The number of programs depending on argc == 0
 seems a smaller set than those calling execve with a NULL argv.

 Account for the additional stack space in bprm_stack_limits(). Inject an
 empty string when argc == 0 (and set argc = 1). Warn about the case so
 userspace has some notice about the change:

     process './argc0' launched './argc0' with NULL argv: empty string added

 Additionally WARN() and reject NULL argv usage for kernel threads.

 [1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/
 [2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
 [3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
 [4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
 [5] https://github.com/KSPP/linux/issues/176
 [6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0
 [7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0
 [8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/

 Reported-by: Ariadne Conill <ariadne@dereferenced.org>
 Reported-by: Michael Kerrisk <mtk.manpages@gmail.com>
 Cc: Matthew Wilcox <willy@infradead.org>
 Cc: Christian Brauner <brauner@kernel.org>
 Cc: Rich Felker <dalias@libc.org>
 Cc: Eric Biederman <ebiederm@xmission.com>
 Cc: Alexander Viro <viro@zeniv.linux.org.uk>
 Cc: linux-fsdevel@vger.kernel.org
 Cc: stable@vger.kernel.org
 Signed-off-by: Kees Cook <keescook@chromium.org>
 Acked-by: Christian Brauner <brauner@kernel.org>
 Acked-by: Ariadne Conill <ariadne@dereferenced.org>
 Acked-by: Andy Lutomirski <luto@kernel.org>
 Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
 [vegard: fixed conflicts due to missing
  886d7de631da71e30909980fdbf318f7caade262^- and
  3950e975431bc914f7e81b8f2a2dbdf2064acb0f^- and
  655c16a8ce9c15842547f40ce23fd148aeccc074]
 Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  fs/exec.c |   17 +++++++++++++++++
  1 file changed, 17 insertions(+)

 This has been tested in both argc == 0 and argc >= 1 cases, but I would
 still appreciate a review given the differences with mainline. If it's
 considered too risky I'm also fine with dropping it -- just wanted to
 make sure this didn't fall through the cracks, as it does block a real
 (albeit old by now) exploit.

 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -1805,6 +1805,9 @@ static int __do_execve_file(int fd, stru
  		goto out_unmark;

  	bprm->argc = count(argv, MAX_ARG_STRINGS);
 +	if (bprm->argc == 0)
 +		pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
 +			     current->comm, bprm->filename);
  	if ((retval = bprm->argc) < 0)
  		goto out;

 @@ -1829,6 +1832,20 @@ static int __do_execve_file(int fd, stru
  	if (retval < 0)
  		goto out;

 +	/*
 +	 * When argv is empty, add an empty string ("") as argv[0] to
 +	 * ensure confused userspace programs that start processing
 +	 * from argv[1] won't end up walking envp. See also
 +	 * bprm_stack_limits().
 +	 */
 +	if (bprm->argc == 0) {
 +		const char *argv[] = { "", NULL };
 +		retval = copy_strings_kernel(1, argv, bprm);
 +		if (retval < 0)
 +			goto out;
 +		bprm->argc = 1;
 +	}
 +
  	retval = exec_binprm(bprm);
  	if (retval < 0)
  		goto out;
	From dcd46d897adb70d63e025f175a00a89797d31a43 Mon Sep 17 00:00:00 2001
	From: Kees Cook <keescook@chromium.org>
	Date: Mon, 31 Jan 2022 16:09:47 -0800
	Subject: exec: Force single empty string when argv is empty

	From: Kees Cook <keescook@chromium.org>

	commit dcd46d897adb70d63e025f175a00a89797d31a43 upstream.

	Quoting[1] Ariadne Conill:

	"In several other operating systems, it is a hard requirement that the
	second argument to execve(2) be the name of a program, thus prohibiting
	a scenario where argc < 1. POSIX 2017 also recommends this behaviour,
	but it is not an explicit requirement[2]:

	The argument arg0 should point to a filename string that is
	associated with the process being started by one of the exec
	functions.
	...
	Interestingly, Michael Kerrisk opened an issue about this in 2008[3],
	but there was no consensus to support fixing this issue then.
	Hopefully now that CVE-2021-4034 shows practical exploitative use[4]
	of this bug in a shellcode, we can reconsider.

	This issue is being tracked in the KSPP issue tracker[5]."

	While the initial code searches[6][7] turned up what appeared to be
	mostly corner case tests, trying to that just reject argv == NULL
	(or an immediately terminated pointer list) quickly started tripping[8]
	existing userspace programs.

	The next best approach is forcing a single empty string into argv and
	adjusting argc to match. The number of programs depending on argc == 0
	seems a smaller set than those calling execve with a NULL argv.

	Account for the additional stack space in bprm_stack_limits(). Inject an
	empty string when argc == 0 (and set argc = 1). Warn about the case so
	userspace has some notice about the change:

	process './argc0' launched './argc0' with NULL argv: empty string added

	Additionally WARN() and reject NULL argv usage for kernel threads.

	[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/
	[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
	[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408
	[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
	[5] https://github.com/KSPP/linux/issues/176
	[6] https://codesearch.debian.net/search?q=execve%5C+%5C%28%5B%5E%2C%5D%2B%2C+NULL&literal=0
	[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs%5C%28%5B%5E%2C%5D%2B%2C%5CsNULL&literal=0
	[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/

	Reported-by: Ariadne Conill <ariadne@dereferenced.org>
	Reported-by: Michael Kerrisk <mtk.manpages@gmail.com>
	Cc: Matthew Wilcox <willy@infradead.org>
	Cc: Christian Brauner <brauner@kernel.org>
	Cc: Rich Felker <dalias@libc.org>
	Cc: Eric Biederman <ebiederm@xmission.com>
	Cc: Alexander Viro <viro@zeniv.linux.org.uk>
	Cc: linux-fsdevel@vger.kernel.org
	Cc: stable@vger.kernel.org
	Signed-off-by: Kees Cook <keescook@chromium.org>
	Acked-by: Christian Brauner <brauner@kernel.org>
	Acked-by: Ariadne Conill <ariadne@dereferenced.org>
	Acked-by: Andy Lutomirski <luto@kernel.org>
	Link: https://lore.kernel.org/r/20220201000947.2453721-1-keescook@chromium.org
	[vegard: fixed conflicts due to missing
	886d7de631da71e30909980fdbf318f7caade262^- and
	3950e975431bc914f7e81b8f2a2dbdf2064acb0f^- and
	655c16a8ce9c15842547f40ce23fd148aeccc074]
	Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	fs/exec.c \| 17 +++++++++++++++++
	1 file changed, 17 insertions(+)

	This has been tested in both argc == 0 and argc >= 1 cases, but I would
	still appreciate a review given the differences with mainline. If it's
	considered too risky I'm also fine with dropping it -- just wanted to
	make sure this didn't fall through the cracks, as it does block a real
	(albeit old by now) exploit.

	--- a/fs/exec.c
	+++ b/fs/exec.c
	@@ -1805,6 +1805,9 @@ static int __do_execve_file(int fd, stru
	goto out_unmark;

	bprm->argc = count(argv, MAX_ARG_STRINGS);
	+ if (bprm->argc == 0)
	+ pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
	+ current->comm, bprm->filename);
	if ((retval = bprm->argc) < 0)
	goto out;

	@@ -1829,6 +1832,20 @@ static int __do_execve_file(int fd, stru
	if (retval < 0)
	goto out;

	+ /*
	+ * When argv is empty, add an empty string ("") as argv[0] to
	+ * ensure confused userspace programs that start processing
	+ * from argv[1] won't end up walking envp. See also
	+ * bprm_stack_limits().
	+ */
	+ if (bprm->argc == 0) {
	+ const char *argv[] = { "", NULL };
	+ retval = copy_strings_kernel(1, argv, bprm);
	+ if (retval < 0)
	+ goto out;
	+ bprm->argc = 1;
	+ }
	+
	retval = exec_binprm(bprm);
	if (retval < 0)
	goto out;