Message ID | 20241105181905.work.462-kees@kernel.org (mailing list archive) |
---|---|
State | In Next |
Commit | f14e5adc14c26f9fc61ba33d5ee3715a3ea17760 |
Headers | show |
Series | exec: NULL out bprm->argv0 when it is an ERR_PTR | expand |
On Tue, Nov 05, 2024 at 10:19:11AM -0800, Kees Cook wrote: > Attempting to free an ERR_PTR will not work. ;) > > process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added > kernel BUG at arch/x86/mm/physaddr.c:23! > > Set bprm->argv0 to NULL if it fails to get a string from userspace so > that bprm_free() will not try to free an invalid pointer when cleaning up. > > Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com > Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") > Signed-off-by: Kees Cook <kees@kernel.org> Reviewed-by: Tycho Andersen <tycho@tycho.pizza. Thanks.
On Tue, Nov 05, 2024 at 10:19:11AM -0800, Kees Cook wrote: > Attempting to free an ERR_PTR will not work. ;) > > process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added > kernel BUG at arch/x86/mm/physaddr.c:23! > > Set bprm->argv0 to NULL if it fails to get a string from userspace so > that bprm_free() will not try to free an invalid pointer when cleaning up. > > Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com > Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") > Signed-off-by: Kees Cook <kees@kernel.org> > --- > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Christian Brauner <brauner@kernel.org> > Cc: Jan Kara <jack@suse.cz> > Cc: Eric Biederman <ebiederm@xmission.com> > Cc: linux-fsdevel@vger.kernel.org > Cc: linux-mm@kvack.org Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
On Tue, Nov 05, 2024 at 10:19:11AM -0800, Kees Cook wrote: > Attempting to free an ERR_PTR will not work. ;) > > process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added > kernel BUG at arch/x86/mm/physaddr.c:23! > > Set bprm->argv0 to NULL if it fails to get a string from userspace so > that bprm_free() will not try to free an invalid pointer when cleaning up. > > Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com > Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") > Signed-off-by: Kees Cook <kees@kernel.org> > --- Reviewed-by: Christian Brauner <brauner@kernel.org>
diff --git a/fs/exec.c b/fs/exec.c index 79045c1d1608..65448ea609a2 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1522,8 +1522,12 @@ static int bprm_add_fixup_comm(struct linux_binprm *bprm, return 0; bprm->argv0 = strndup_user(p, MAX_ARG_STRLEN); - if (IS_ERR(bprm->argv0)) - return PTR_ERR(bprm->argv0); + if (IS_ERR(bprm->argv0)) { + int rc = PTR_ERR(bprm->argv0); + + bprm->argv0 = NULL; + return rc; + } return 0; }
Attempting to free an ERR_PTR will not work. ;) process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added kernel BUG at arch/x86/mm/physaddr.c:23! Set bprm->argv0 to NULL if it fails to get a string from userspace so that bprm_free() will not try to free an invalid pointer when cleaning up. Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") Signed-off-by: Kees Cook <kees@kernel.org> --- Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Christian Brauner <brauner@kernel.org> Cc: Jan Kara <jack@suse.cz> Cc: Eric Biederman <ebiederm@xmission.com> Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org --- fs/exec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)