Module Name: src
Committed By: christos
Date: Sat Feb 5 23:10:20 UTC 2022
Modified Files:
src/sys/kern: kern_exec.c
Log Message:
Prevent escallation of privilege due to poor handling of argc == 0 in set*id
binaries by refusing to execute them.
To generate a diff of this commit:
cvs rdiff -u -r1.514 -r1.515 src/sys/kern/kern_exec.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_exec.c
diff -u src/sys/kern/kern_exec.c:1.514 src/sys/kern/kern_exec.c:1.515
--- src/sys/kern/kern_exec.c:1.514 Fri Nov 26 03:06:12 2021
+++ src/sys/kern/kern_exec.c Sat Feb 5 18:10:20 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_exec.c,v 1.514 2021/11/26 08:06:12 ryo Exp $ */
+/* $NetBSD: kern_exec.c,v 1.515 2022/02/05 23:10:20 christos Exp $ */
/*-
* Copyright (c) 2008, 2019, 2020 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.514 2021/11/26 08:06:12 ryo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.515 2022/02/05 23:10:20 christos Exp $");
#include "opt_exec.h"
#include "opt_execfmt.h"
@@ -1038,9 +1038,10 @@ pathexec(struct proc *p, const char *res
/* XXX elsewhere */
static int
-credexec(struct lwp *l, struct vattr *attr)
+credexec(struct lwp *l, struct execve_data *data)
{
struct proc *p = l->l_proc;
+ struct vattr *attr = &data->ed_attr;
int error;
/*
@@ -1061,6 +1062,12 @@ credexec(struct lwp *l, struct vattr *at
*/
proc_crmod_enter();
proc_crmod_leave(NULL, NULL, true);
+ if (data->ed_argc == 0) {
+ DPRINTF((
+ "%s: not executing set[ug]id binary with no args\n",
+ __func__));
+ return EINVAL;
+ }
/* Make sure file descriptors 0..2 are in use. */
if ((error = fd_checkstd()) != 0) {
@@ -1273,7 +1280,7 @@ execve_runproc(struct lwp *l, struct exe
p->p_flag |= PK_EXEC;
mutex_exit(p->p_lock);
- error = credexec(l, &data->ed_attr);
+ error = credexec(l, data);
if (error)
goto exec_abort;
