From nobody Thu Feb 10 20:22:15 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0B59619C0B90; Thu, 10 Feb 2022 20:22:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jvp7q6wzJz3mPt; Thu, 10 Feb 2022 20:22:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644524536; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+kNOtWUN3WUvGtYhvOQZfeolku8UJE+R7Y5ex8KH+aQ=; b=aTHATRZQV0ZQCm4GfzpAZGLmUSJNItom2U6C/GJ2MS4rrw2i5UVwE/jSE7Sx9aN95tMquq zxmga84StUjv46IYHZr7QF/V4h9rF6KK8wD6OmdHghpOe3HuZnQxosBEyKp4DNZ+CA29wy mmxHptn0RmkuSQTMm5gfTs+2FLJu7XCbLuUus7AO+P3ZIDnuk6gZj2i1bkWzmIw9nVdPas n9LjwmIvDb67rRBPd4XILQ+39FDJaWS4WX8x0KMUIYg0aMWjtJGeHIA3UsBFXYzSc+flcp ycLhotG9oF2loDXftTuN5q9ITJWI4Y7KrWrUJYgI+T0dcEnnFbHqjbbx7tnMdA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CE61E26FB2; Thu, 10 Feb 2022 20:22:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 21AKMF9B088346; Thu, 10 Feb 2022 20:22:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 21AKMFLH088345; Thu, 10 Feb 2022 20:22:15 GMT (envelope-from git) Date: Thu, 10 Feb 2022 20:22:15 GMT Message-Id: <202202102022.21AKMFLH088345@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 7393eedb039a - stable/13 - execve: disallow argc == 0 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 7393eedb039acb7890da9743a8e8322827820b2c Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644524536; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+kNOtWUN3WUvGtYhvOQZfeolku8UJE+R7Y5ex8KH+aQ=; b=UwZ5RqRosjbXP/8vufIUHE8ZSUtq92T2gJqLKUPq4zDpqFxWtnVLcMEf5HKOkUVCeNuW8E FdwURhekfHq2USZYZljsrWRb+NBC5RmODpboEGuLpd5L1rcXrmrM+Jr4/db57owbJ5ukly t/AjSs+WMF3/wxNaou/hJLJZwsMFy6rKKNbcodj3ABuXj0voUz6HshSuSYMUH8nTntEpUL UHsToV95GQQ62UJfWlvo7taezj3UV0cjaPUxjD6vg+qGl2Eqvj4f85ad2RHW4bG8LX06ce b4H9vK85OMM+XyDzOC/d2hOUIr6og+Oo/kjHFTWvKP6QRiUXteMpz6Ns9BBlaw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644524536; a=rsa-sha256; cv=none; b=OMdZAejanefP2ONr7rANgqFVrxKeZblpK0aOLbdOXmENTAY/jPLaAxE1CnWsGNGW2tDkMW ybbhoyjrL3vWbqE5CAisxhWLWM+pl96BogmUZuhNkxxMPamtjiW5KaTExQUqqUgYVxNTk1 yfRfAap6hnL9KFssxEp8S36UUlSw6G7TzC5+0QuLFRqpJmXyT0QHN9LH77woFca/0e0cEW cMIRPYQ5YMwDAROBDWMNr3/ZLXGgIAY8FPbv0tYbWAKi89caQetSE4SeX1F3u4+eGveulH 9OCPNNNQj5MKHrQVI15N7MDhslx0EKzO14yl+x0JiOxkW56egD/ZqzxaaH7vbg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=7393eedb039acb7890da9743a8e8322827820b2c commit 7393eedb039acb7890da9743a8e8322827820b2c Author: Kyle Evans AuthorDate: 2022-01-25 22:47:23 +0000 Commit: Kyle Evans CommitDate: 2022-02-10 20:21:59 +0000 execve: disallow argc == 0 The manpage has contained the following verbiage on the matter for just under 31 years: "At least one argument must be present in the array" Previous to this version, it had been prefaced with the weakening phrase "By convention." Carry through and document it the rest of the way. Allowing argc == 0 has been a source of security issues in the past, and it's hard to imagine a valid use-case for allowing it. Toss back EINVAL if we ended up not copying in any args for *execve(). The manpage change can be considered "Obtained from: OpenBSD" (cherry picked from commit 773fa8cd136a5775241c3e3a70f1997633ebeedf) (cherry picked from commit c9afc7680f3e1f0510518de9de4264553a31aade) --- lib/libc/sys/execve.2 | 5 ++++- lib/libc/tests/gen/posix_spawn_test.c | 9 +++------ sys/kern/kern_exec.c | 6 ++++++ 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/libc/sys/execve.2 b/lib/libc/sys/execve.2 index a8f5aa14854b..1abadba13d91 100644 --- a/lib/libc/sys/execve.2 +++ b/lib/libc/sys/execve.2 @@ -28,7 +28,7 @@ .\" @(#)execve.2 8.5 (Berkeley) 6/1/94 .\" $FreeBSD$ .\" -.Dd March 30, 2020 +.Dd January 26, 2022 .Dt EXECVE 2 .Os .Sh NAME @@ -273,6 +273,9 @@ Search permission is denied for a component of the path prefix. The new process file is not an ordinary file. .It Bq Er EACCES The new process file mode denies execute permission. +.It Bq Er EINVAL +.Fa argv +did not contain at least one element. .It Bq Er ENOEXEC The new process file has the appropriate access permission, but has an invalid magic number in its header. diff --git a/lib/libc/tests/gen/posix_spawn_test.c b/lib/libc/tests/gen/posix_spawn_test.c index 5e2c485473d0..46259cbf8cde 100644 --- a/lib/libc/tests/gen/posix_spawn_test.c +++ b/lib/libc/tests/gen/posix_spawn_test.c @@ -117,17 +117,14 @@ ATF_TC_BODY(posix_spawnp_enoexec_fallback_null_argv0, tc) { char buf[FILENAME_MAX]; char *myargs[1]; - int error, status; - pid_t pid, waitres; + int error; + pid_t pid; snprintf(buf, sizeof(buf), "%s/spawnp_enoexec.sh", atf_tc_get_config_var(tc, "srcdir")); myargs[0] = NULL; error = posix_spawnp(&pid, buf, NULL, NULL, myargs, myenv); - ATF_REQUIRE(error == 0); - waitres = waitpid(pid, &status, 0); - ATF_REQUIRE(waitres == pid); - ATF_REQUIRE(WIFEXITED(status) && WEXITSTATUS(status) == 42); + ATF_REQUIRE(error == EINVAL); } ATF_TP_ADD_TCS(tp) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 331508a59895..9148daf6182e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -356,6 +356,12 @@ kern_execve(struct thread *td, struct image_args *args, struct mac *mac_p, exec_args_get_begin_envv(args) - args->begin_argv); AUDIT_ARG_ENVV(exec_args_get_begin_envv(args), args->envc, args->endp - exec_args_get_begin_envv(args)); + + /* Must have at least one argument. */ + if (args->argc == 0) { + exec_free_args(args); + return (EINVAL); + } return (do_execve(td, args, mac_p, oldvmspace)); }