From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41982D3E78C for ; Wed, 6 Nov 2024 09:39:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B5C256B0083; Wed, 6 Nov 2024 04:39:35 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B0D886B0089; Wed, 6 Nov 2024 04:39:35 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9FABB6B008A; Wed, 6 Nov 2024 04:39:35 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 808B86B0083 for ; Wed, 6 Nov 2024 04:39:35 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id F1F7781AC1 for ; Wed, 6 Nov 2024 09:39:34 +0000 (UTC) X-FDA: 82755171660.26.3A5C41E Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf24.hostedemail.com (Postfix) with ESMTP id C59B0180021 for ; Wed, 6 Nov 2024 09:39:28 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="kt32r2/j"; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf24.hostedemail.com: domain of brauner@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=brauner@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1730885914; a=rsa-sha256; cv=none; b=FrPxSikQXVC/WdMooY+iLiiuU29KKl5OiDF26nZgcEKzWa5w9fkGe7Un9Yi1i/H3CJCehV 1YaKOyrcec/PBug7bfno9VlFjG50Z4MnaPtR1VAnt95wllIcMukLR07O7e3Kb9v5t36etl OHo1UC9ZzcrXEmWCWB0qLS8MsLTpWTo= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="kt32r2/j"; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf24.hostedemail.com: domain of brauner@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=brauner@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1730885914; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DCM0Qft+xoDe+UyX4qtQ5TnWuUgtp/v+rulSvHTKLl0=; b=sXPidYDpdJ2F2mbU+iGbw1SelPsh1pAOpo3OgQ0KM2gUKh3TkChe10pffMVbE05hkteeeI j4mLg+rE1+1PeIQvhOBR8sBuMAKW8CVou16ica96XOUyLjn0jyjYR3J+X9e+2ny9u+Lcd0 HYA+SSSZUopf69OuUycbeOK6WJLtey8= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 83F86A42E57; Wed, 6 Nov 2024 09:37:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B8FC0C4CECD; Wed, 6 Nov 2024 09:39:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1730885972; bh=FU5AlX4RjaYJQlbyiNQ8jSLr6xTKlU0haYRHKYTKbpw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kt32r2/jMsGs06RLAAi7ZO6XvgJUf/urcz/7ldxqPdV6rhxIK7w6n4C5IaqGNx350 /qo/awgFtXMTvTRlCIY8fYkXn1xShDUM800/915kEtBHt/ifPO7fbriXr7ZYl1RjIa +9koIdf2WmuSWFYVXrvXul/usZWf6aOXpj/ok+LVua3AuRg4CN09dojuiPY0WEFDLG Pg4u1GHLptMHrXJpIjJrNsR7iGmNfWg49E8YPmnsn9gJhYA1smCkJZjEWTWJ4zBzgm 8C86GtloqWFIe/U11YnUWQSHjt+kwo/nsmS9Xey5CL/pupmPHqPwp80ZLIxeCrk0HM L0U3758w7ZD6w== Date: Wed, 6 Nov 2024 10:39:25 +0100 From: Christian Brauner To: Kees Cook Cc: Al Viro , syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com, Jan Kara , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, Tycho Andersen , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] exec: NULL out bprm->argv0 when it is an ERR_PTR Message-ID: <20241106-balsam-untragbar-1aa86b2bb7bb@brauner> References: <20241105181905.work.462-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20241105181905.work.462-kees@kernel.org> X-Rspam-User: X-Rspamd-Queue-Id: C59B0180021 X-Rspamd-Server: rspam11 X-Stat-Signature: dujnhmk1bdjgah3g4xfmn1gusaqcbgxn X-HE-Tag: 1730885968-633444 X-HE-Meta: U2FsdGVkX1+xGw/JxocDznzlc+BxzNi6SP1NMUC81FFouBG4DEgO7IA5P+jvih7NWA4jZ4Qt7EO5/rhzyu1pruqRZDIhoy8jlonuT1Ut+a47tu4n5gDioN7n3AUHUigQZkkGABZiyJkD+y+2RS3wACsVhB0ccSlr+3PZEUTbotluKnCmpoRUjhSE83P5BQgKNvD0dnt2KOcKkyE6fGNP8SooMMc/H6HlioA2LLEQiC3CNkM5Oz/ckmfitlgyogzW089I62t26gJfc5eFk6WeCZ2roR/1AWAH4qXuZs0WV8xcujWoWtKm7wWGxleb0/Px/JQVS/VZxqxCG0ukPht+RttQgPT6j5Ifwf+IoH0VW33VX3REvzBw6J2oUk2ZRDIBQhNM2R0tU2OD929nF+dTDH9p47YnZGzQR+285Wcj+JUYwXcopM2xpVpE3yWcW4KIUbZxZOwMFk/fMJddgRrONV8jkdS4VLB9F5anhbTM28fGKdNRitLaO1swHraJjkZULXTBl7QxVQz8nf1CVYsDngVsP6MGg5qGtjkL4zmwa+sgd1KXbT9RwDL/110xQAapD+elk3vkvHWayxHn15St5bOsyTWt7i+x5AzXndOy54GJSajidvg1Rf0/eGzm5COrD0PVeFekibK0MGEQw2RJR9S6gdX7+vfEGoQ3Sl6chJNe/hbjw1X7US2fsZ9NWfiyaJWbU9AFwemL2UTWnBZntRSu082nV69N3bvFdGDDXJPA2ClgJN0DviNo7bKVgTDoxULXgFqp86Pnb91kCIEc1/ZfsPvf0V5FRa0Pkxr0MGDJzLhnhC1n0sISpdpwK5hdYDTXBWO6zrH3RjypfUyA9kIU5SXz9aJIczlcBEPMJIwLGvuZ5iXZb5LiGk3zxvsmLmcXrENAsFVoK0QgoTy8o3Tfh+XxgwPGLdJnKC/rsqpaxcm/GfKAwp7zoC5mhHWAnhFjL1X8qh8frekIzf7 sVtslip3 jiJIu84PfIgGu71dLj23Jf+ddEcCX1n3G4I/Zesgy/PKLkEgV6NLG0RNSOhnCihd8ZsZQ5r93KjRYqeg+UnEmMJbr/C5rjXH6L1QDdRBpQnXWyqdaNre6AiI1otHCIaOcHclHEW68f2EylOcFyv4JiDMB1FAGQZWksR2c7ZR4u67wsjXVDULFdStHfHaAInugKbXO0Q40uKJhBTDNke/5BrPY6vbDV7d0m1G93PNNRQjhwHeVbaSOPhTUWtxHxx6KJiUuR+TO09vg5GH0Myi6kyfd19ZlMR1ZtyqvalUvP5HspTsQzeCXJWJDhWJQPG3/wFq+TO1gLnqYSLU3ZlSngAUk/jDAYblcZ96NlgK3NAOuzxLhWufQZ9TwFu59GB3b4bhgUydcy7NWhaH3vcNDAWqYMMsLrIDdO70vSX9IW2GhfVssCFRC0HGkoGZcgSt8N8SnReLRppAo+IKdp9mtjsUlp6lyPmJ52garY3D+loWUjkmanL0g0fRnEImQvB++tXUENTzFFE/N+i30dwGtD0H4eSw8D43V6Dp7HD2jT2Q7VKI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Nov 05, 2024 at 10:19:11AM -0800, Kees Cook wrote: > Attempting to free an ERR_PTR will not work. ;) > > process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added > kernel BUG at arch/x86/mm/physaddr.c:23! > > Set bprm->argv0 to NULL if it fails to get a string from userspace so > that bprm_free() will not try to free an invalid pointer when cleaning up. > > Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com > Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") > Signed-off-by: Kees Cook > --- Reviewed-by: Christian Brauner