[v2,0/2] exec: Avoid pathological argc, envc, and bprm->p values

Message ID	20240621204729.it.434-kees@kernel.org (mailing list archive)
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C2C1156F2E; Fri, 21 Jun 2024 20:50:46 +0000 (UTC) From: Kees Cook <kees@kernel.org> To: Guenter Roeck <linux@roeck-us.net> Cc: Kees Cook <kees@kernel.org>, Eric Biederman <ebiederm@xmission.com>, Al Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>, Alexey Dobriyan <adobriyan@gmail.com>, Laurent Vivier <laurent@vivier.eu>, Lukas Bulwahn <lukas.bulwahn@gmail.com>, Justin Stitt <justinstitt@google.com>, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 0/2] exec: Avoid pathological argc, envc, and bprm->p values Date: Fri, 21 Jun 2024 13:50:42 -0700 Message-Id: <20240621204729.it.434-kees@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	exec: Avoid pathological argc, envc, and bprm->p values \| expand [v2,0/2] exec: Avoid pathological argc, envc, and bprm->p values [v2,1/2] execve: Keep bprm->argmin behind CONFIG_MMU [v2,2/2] exec: Avoid pathological argc, envc, and bprm->p values

Message ID

20240621204729.it.434-kees@kernel.org (mailing list archive)

Headers

From: Kees Cook <kees@kernel.org>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Kees Cook <kees@kernel.org>,
	Eric Biederman <ebiederm@xmission.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Laurent Vivier <laurent@vivier.eu>,
	Lukas Bulwahn <lukas.bulwahn@gmail.com>,
	Justin Stitt <justinstitt@google.com>,
	linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	linux-mm@kvack.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH v2 0/2] exec: Avoid pathological argc, envc,
 and bprm->p values
Date: Fri, 21 Jun 2024 13:50:42 -0700
Message-Id: <20240621204729.it.434-kees@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

exec: Avoid pathological argc, envc, and bprm->p values | expand

Message

Kees Cook June 21, 2024, 8:50 p.m. UTC

Hi,

This pair of patches replaces the last patch in this[1] series.

Perform bprm argument overflow checking but only do argmin checks for MMU
systems. To avoid tripping over this again, argmin is explicitly defined
only for CONFIG_MMU. Thank you to Guenter Roeck for finding this issue
(again)!

-Kees

[1] https://lore.kernel.org/all/20240520021337.work.198-kees@kernel.org/

Kees Cook (2):
  execve: Keep bprm->argmin behind CONFIG_MMU
  exec: Avoid pathological argc, envc, and bprm->p values

 fs/exec.c               | 36 +++++++++++++++++++++++++++++-------
 fs/exec_test.c          | 30 +++++++++++++++++++++++++++++-
 include/linux/binfmts.h |  2 +-
 3 files changed, 59 insertions(+), 9 deletions(-)

Comments

Guenter Roeck June 21, 2024, 9:44 p.m. UTC | #1

On 6/21/24 13:50, Kees Cook wrote:
> Hi,
> 
> This pair of patches replaces the last patch in this[1] series.
> 
> Perform bprm argument overflow checking but only do argmin checks for MMU
> systems. To avoid tripping over this again, argmin is explicitly defined
> only for CONFIG_MMU. Thank you to Guenter Roeck for finding this issue
> (again)!
> 

That does make me wonder: Is anyone but me testing, much less running,
the nommu code in the kernel ?

mps2-an385 trips over the same problem, and xtensa:nommu_kc705_defconfig
doesn't even build in linux-next right now (spoiler alert: I suspect that
the problem is caused by "kunit: test: Add vm_mmap() allocation resource
manager", but I did not have time to bisect it).

I am kind of tired keeping those tests alive, and I would not exactly
shed tears if nommu support would just be dropped entirely.

Guenter

Kees Cook June 27, 2024, 7:49 p.m. UTC | #2

On Fri, Jun 21, 2024 at 02:44:05PM -0700, Guenter Roeck wrote:
> On 6/21/24 13:50, Kees Cook wrote:
> > Hi,
> > 
> > This pair of patches replaces the last patch in this[1] series.
> > 
> > Perform bprm argument overflow checking but only do argmin checks for MMU
> > systems. To avoid tripping over this again, argmin is explicitly defined
> > only for CONFIG_MMU. Thank you to Guenter Roeck for finding this issue
> > (again)!
> > 
> 
> That does make me wonder: Is anyone but me testing, much less running,
> the nommu code in the kernel ?
> 
> mps2-an385 trips over the same problem, and xtensa:nommu_kc705_defconfig
> doesn't even build in linux-next right now (spoiler alert: I suspect that
> the problem is caused by "kunit: test: Add vm_mmap() allocation resource
> manager", but I did not have time to bisect it).

This has a fixed pending:
https://lore.kernel.org/lkml/202406271005.4E767DAE@keescook/

> I am kind of tired keeping those tests alive, and I would not exactly
> shed tears if nommu support would just be dropped entirely.

I haven't ever used the nommu builds, so I don't have a useful opinion
here. :)

-Kees