From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6CEF9D374A2
	for <linux-mm@archiver.kernel.org>; Thu, 17 Oct 2024 14:34:54 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id ED8636B008C; Thu, 17 Oct 2024 10:34:53 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E88A56B0093; Thu, 17 Oct 2024 10:34:53 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D29B46B0095; Thu, 17 Oct 2024 10:34:53 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id B440B6B008C
	for <linux-mm@kvack.org>; Thu, 17 Oct 2024 10:34:53 -0400 (EDT)
Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 8B83FAB0BF
	for <linux-mm@kvack.org>; Thu, 17 Oct 2024 14:34:31 +0000 (UTC)
X-FDA: 82683340698.18.0C6BD45
Received: from fout-a1-smtp.messagingengine.com (fout-a1-smtp.messagingengine.com [103.168.172.144])
	by imf30.hostedemail.com (Postfix) with ESMTP id 957018000F
	for <linux-mm@kvack.org>; Thu, 17 Oct 2024 14:34:32 +0000 (UTC)
Authentication-Results: imf30.hostedemail.com;
	dkim=pass header.d=tycho.pizza header.s=fm1 header.b=knvMIdWm;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=BGHEmtPP;
	dmarc=none;
	spf=pass (imf30.hostedemail.com: domain of tycho@tycho.pizza designates 103.168.172.144 as permitted sender) smtp.mailfrom=tycho@tycho.pizza
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729175643; a=rsa-sha256;
	cv=none;
	b=uqUMHacGCsCvah8QOfoGQZuTHuIM/SXURwn7qOqfL3KH+de5Zq/o8Dq8dc6nLHn4OYiW6K
	9e5UR1EpYxj+A1tVZgI1HjLTFzySvlTSI+ZTk974mgq9IK95fVBso1q2HiRYw5kH+fvaiw
	mdyRiyPlZaE/vKvAiSrKF0VRmLIvX5c=
ARC-Authentication-Results: i=1;
	imf30.hostedemail.com;
	dkim=pass header.d=tycho.pizza header.s=fm1 header.b=knvMIdWm;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=BGHEmtPP;
	dmarc=none;
	spf=pass (imf30.hostedemail.com: domain of tycho@tycho.pizza designates 103.168.172.144 as permitted sender) smtp.mailfrom=tycho@tycho.pizza
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1729175643;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=fJvS9+alsJc2s4fbn9EOmQmJgz5/GJjCwKHXNF0mOXM=;
	b=tlADqCX7iCwxTOJbDLcY5piraaEQfr/Y7tzot1O3tOA9uv/znAtxBtHPJO5JQ3IW36Cxo3
	/1RQm9qT+SlHCZpnP6H2HXDMUz13YGliS9dkR0AyO1V3rLoe06hiIiGdnx3cYxDNW1sW+7
	AkdIKiMDC415avTcfnv/3ACAy9YLRdM=
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
	by mailfout.phl.internal (Postfix) with ESMTP id B422A13803B0;
	Thu, 17 Oct 2024 10:34:50 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-01.internal (MEProxy); Thu, 17 Oct 2024 10:34:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h=
	cc:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm1; t=1729175690; x=1729262090; bh=fJvS9+alsJ
	c2s4fbn9EOmQmJgz5/GJjCwKHXNF0mOXM=; b=knvMIdWmldnajbMQdhTIKNW59a
	MXU4Pd2QFC9jU3qEyQqVCHgzuesoHNXNwrPh8//mha/2u12nPZ3axGQxJ9VNFcjv
	7A/xzXhtWOVblyZ0W5ZAH0wJhN5Hp50IJ5+1r7H0rUIH5fK8QF1ZWtzn/5iIZUBO
	gP6nrCjLS8IsD2TFpQNDA7kq+S/aHltuzpj2mCJCb05ppz0Ynw2uN6YB+zCjabFJ
	BAu37jsHDtNgOOATSIhB1DfjM3t1Erb794v+NvbGPOjtLaLS3uvKzDJPnWKy/BLo
	Ahb6B3TA0NEN2/nVTOS62kpuLK+P30IiRmZGY1EYqjF25OFrJqDQ5L+2SyXA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm2; t=1729175690; x=1729262090; bh=fJvS9+alsJc2s4fbn9EOmQmJgz5/
	GJjCwKHXNF0mOXM=; b=BGHEmtPPm1GAZFsOXkPCogc9J8tWkbURh5EeMDLOrBvw
	y1Yx9CnR0XDBMiSzr08DcxzbOGx/j06lVnTWJvTMpEVChUJ2uKDuzdokpNxDNPg0
	RclIPb0BoBEjW4ZNQLSeOrSuA8k/Yfr9LhcD1SuEip/LO8DfgXRR81jiIv1miij7
	j6ZVKJ8JCBWKyi3LhGAM2qpte66kGFX2D4n6wyXsnZpiwPJpNSiyMvlVhFVpLOZB
	cwX66jN8ddksafTM6OM297/OAITYRVMvalfXxTp4jhxoA5V46CAwxtKR24GSch5I
	N2McI7hH4zvSVoc3If0Iexc4V66fYituafPfqLQElg==
X-ME-Sender: <xms:iSARZ-YFNHmsF8V9GHi_KL3Wn2A2dIjJHiCZw-DaHUExVIwnk3RtYA>
    <xme:iSARZxZDcYSZmjsME2dI6vcoGxxmF_Z0eNpEH3lyGlK_bxOrY7UWbqpN2oOP1u4R4
    3FldoVCfqUonPgegnw>
X-ME-Received: <xmr:iSARZ4-sJwrQQcVcvOOcg8L_y50dYdLdNcvQrahza8RTyQ2AJAS42ws2h4A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvdehuddgkedtucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvden
    ucfhrhhomhepvfihtghhohcutehnuggvrhhsvghnuceothihtghhohesthihtghhohdrph
    hiiiiirgeqnecuggftrfgrthhtvghrnhepueettdetgfejfeffheffffekjeeuveeifedu
    leegjedutdefffetkeelhfelleetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg
    hmpehmrghilhhfrhhomhepthihtghhohesthihtghhohdrphhiiiiirgdpnhgspghrtghp
    thhtohepudegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehkvggvsheskhgvrh
    hnvghlrdhorhhgpdhrtghpthhtohepiigshihsiigvkhesihhnrdifrgifrdhplhdprhgt
    phhtthhopegvsghivgguvghrmhesgihmihhsshhiohhnrdgtohhmpdhrtghpthhtohepvh
    hirhhoseiivghnihhvrdhlihhnuhigrdhorhhgrdhukhdprhgtphhtthhopegsrhgruhhn
    vghrsehkvghrnhgvlhdrohhrghdprhgtphhtthhopehjrggtkhesshhushgvrdgtiidprh
    gtphhtthhopehjlhgrhihtohhnsehkvghrnhgvlhdrohhrghdprhgtphhtthhopegthhhu
    tghkrdhlvghvvghrsehorhgrtghlvgdrtghomhdprhgtphhtthhopegrlhgvgidrrghrih
    hnghesghhmrghilhdrtghomh
X-ME-Proxy: <xmx:iSARZwpfpFIWI0Bm43OSe8Jhyha8a7o02UJYpzVaZgPhDw7Ubj6mbA>
    <xmx:iSARZ5o322JfOjlAFuRhD5J5ugzVxq92kwFG6cuLHeKoDr7bs2wkLg>
    <xmx:iSARZ-SkKVobzQLDFi2jD0qZ_RlRG0YU5c5WVmoB6mzeDwAOPNX7Ag>
    <xmx:iSARZ5qerfqqfx5Aklv79Rlq0F-cE2MjD4zaNyq1qAiV9uq-agSXFA>
    <xmx:iiARZ0Bmijn4nR9JtoZIcvGUIewgJ0pI8yT4tWvGJY2HsZGaMGW1N0p0>
Feedback-ID: i21f147d5:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 17 Oct 2024 10:34:47 -0400 (EDT)
Date: Thu, 17 Oct 2024 08:34:43 -0600
From: Tycho Andersen <tycho@tycho.pizza>
To: Kees Cook <kees@kernel.org>
Cc: Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	Jeff Layton <jlayton@kernel.org>,
	Chuck Lever <chuck.lever@oracle.com>,
	Alexander Aring <alex.aring@gmail.com>,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Tycho Andersen <tandersen@netflix.com>,
	Aleksa Sarai <cyphar@cyphar.com>
Subject: Re: [RFC] exec: add a flag for "reasonable" execveat() comm
Message-ID: <ZxEgg+CEnvIHJJ4q@tycho.pizza>
References: <20240924141001.116584-1-tycho@tycho.pizza>
 <87msjx9ciw.fsf@email.froward.int.ebiederm.org>
 <Zv1aA4I6r4py-8yW@kawka3.in.waw.pl>
 <ZwaWG/ult2P7HR5A@tycho.pizza>
 <202410141403.D8B6671@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202410141403.D8B6671@keescook>
X-Rspam-User: 
X-Rspamd-Queue-Id: 957018000F
X-Rspamd-Server: rspam01
X-Stat-Signature: tua5hb4yyyfzigapa6mqgip4qt5x1uap
X-HE-Tag: 1729175672-395349
X-HE-Meta: U2FsdGVkX19jwsYpFoAO+OcVFqGkgL/atDqxip5EPERXWGW4E2CCZWBrcoYrLjI+R2pBbDiqP7v3/mJ1cxbk1L+guPivWAvFWmshqNzUoouHgYBFEJB4ovuscV6ZEryvSb6+qsCUSSoi4GAE02Gf984HdSTdCaBXwLpR+p95NF6pvWVfdH4rbnfthEr2jKlGlun378O7GJFWkZxoli8nG6rhPFQhXDbUomcN3gh6QGTktMk0ETVQO6A9NRuNWZPZctJeXOtVzWoh4LJw2Xrw2UE2KrNkRIeY0sqKMSXAUPH+dJ/+CU9hg3oVgnD3rX1sLfRnRfYHBqGioprKIZ3SKNGDg8K1cTC688JWtIFLXq5JWMGkSaiCigvWc6fPwH8hkDhsQY3+uuslebYCI/SopH6TPI2EonyVjgz7OriFvW819NBArBaGZ5KdGtZCvq422tXLvXjMc0viQCVbH4e4aWrDjg6WBh+PSnz/WoLoAYo71lGP3fnlDxaYIe3amX3pkRlVU/+NbVnQ4BuzZ4NEVFN2/gejTcA/y+g0mk8pUqGPbkpD/oOBSS0jaZWku2cy9PEj++gtK99J1oAK+QdSPUEtAA+pmuOtb9kVJ4MLlyRLovJWmz9P8pxne6NjAKzjlarI9R76blrJLQuQL/YZMjfY1cJ3TAuv9kqVyz0xUzPgcvsIgGbLswfgGTmkCTnTD/mkuNAAxSPt/3uDLmDzfqdeuote8F1GiCZRfQEGa1ON78UlYmRoa5BUj01nw5i0LZvLv1TLPkDnWMRz+YEDr0vJQ+BzVv2E3DVDhOdTdGeP2c5X5x0+E6hwagEWG9zzZq1i6N/VwKgPcYVw0aEVco1l78yoce11hcuNZcX5a1mZeK/sl8P/NrxkVAVcWXemZVrc8XAMynuYM10GRLC1i94l0jivkOJP2kHKiMDxKe0OVVVBsKOdbJiC7D7Tu+aVouP+tV4EDVIa64qcCA9
 9qfDuxLm
 PQrK+RJNNi0+ee/yr/gh/5j0anoUzwZIRaWEkM0iXl0GZAZ9fQ98PwQ4U/JIGDMADbaR7WdHH2FAL8VDCXpU99dMU79frbSSoeh5d8fHcQYFhr/CzoUfEFZm8AXhJN3vl7hK81ETA786WqlVTPygVIKgFL4fP9ZN5MjCeFwlecxTHSC2ledW+OLaeOphpZVYYkcA2siQsHLEu54tMeEDIZPwzNSc457Wo5o5BOpVm05rExV4DNopsAP84Z/EOnv6zizbrghLBlA/ztP5QS6I51XiDpEKRVemdumaebEEzm5QDDn/fG9CwQuAylaRAkXrmIlbQ2WidSAXv/c1xglgPMWkwnD+MgbfqFQKv7v6H1O+ozM5/+5ct34GVjA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Oct 14, 2024 at 02:13:32PM -0700, Kees Cook wrote:
> On Wed, Oct 09, 2024 at 08:41:31AM -0600, Tycho Andersen wrote:
> > +static int bprm_add_fixup_comm(struct linux_binprm *bprm, struct user_arg_ptr argv)
> > +{
> > +	const char __user *p = get_user_arg_ptr(argv, 0);
> > +
> > +	/*
> > +	 * In keeping with the logic in do_execveat_common(), we say p == NULL
> > +	 * => "" for comm.
> > +	 */
> > +	if (!p) {
> > +		bprm->argv0 = kstrdup("", GFP_KERNEL);
> > +		return 0;
> > +	}
> > +
> > +	bprm->argv0 = strndup_user(p, MAX_ARG_STRLEN);
> > +	if (bprm->argv0)
> > +		return 0;
> > +
> > +	return -EFAULT;
> > +}
> 
> I'd rather this logic got done in copy_strings() and to avoid duplicating
> a copy for all exec users. I think it should be possible to just do
> this, to find the __user char *:
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index 77364806b48d..e12fd706f577 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -642,6 +642,8 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
>  				goto out;
>  			}
>  		}
> +		if (argc == 0)
> +			bprm->argv0 = str;
>  	}
>  	ret = 0;
>  out:

Isn't str here a __user? We want a kernel string for setting comm, so
I guess kaddr+offset? But that's not mapped any more...

> Once we get to begin_new_exec(), only if we need to do the work (fdpath
> set), then we can do the strndup_user() instead of making every exec
> hold a copy regardless of whether it will be needed.

What happens if that allocation fails? begin_new_exec() says it is the
point of no return, so we would just swallow the exec? Or have
mysteriously inconsistent behavior?

I think we could check ->fdpath in the bprm_add_fixup_comm() above,
and only do the allocation when really necessary. I should have done
that in the above version, which would have made the comment about
checking fdpath even somewhat true :)

Something like the below?

Tycho



diff --git a/fs/exec.c b/fs/exec.c
index dad402d55681..7ec0bbfbc3c3 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1416,7 +1416,16 @@ int begin_new_exec(struct linux_binprm * bprm)
 		set_dumpable(current->mm, SUID_DUMP_USER);
 
 	perf_event_exec();
-	__set_task_comm(me, kbasename(bprm->filename), true);
+
+	/*
+	 * If argv0 was set, execveat() made up a path that will
+	 * probably not be useful to admins running ps or similar.
+	 * Let's fix it up to be something reasonable.
+	 */
+	if (bprm->argv0)
+		__set_task_comm(me, kbasename(bprm->argv0), true);
+	else
+		__set_task_comm(me, kbasename(bprm->filename), true);
 
 	/* An exec changes our domain. We are no longer part of the thread
 	   group */
@@ -1566,9 +1575,36 @@ static void free_bprm(struct linux_binprm *bprm)
 	if (bprm->interp != bprm->filename)
 		kfree(bprm->interp);
 	kfree(bprm->fdpath);
+	kfree(bprm->argv0);
 	kfree(bprm);
 }
 
+static int bprm_add_fixup_comm(struct linux_binprm *bprm, struct user_arg_ptr argv)
+{
+	const char __user *p = get_user_arg_ptr(argv, 0);
+
+	/*
+	 * If this isn't an execveat(), we don't need to fix up the command.
+	 */
+	if (!bprm->fdpath)
+		return 0;
+
+	/*
+	 * In keeping with the logic in do_execveat_common(), we say p == NULL
+	 * => "" for comm.
+	 */
+	if (!p) {
+		bprm->argv0 = kstrdup("", GFP_KERNEL);
+		return 0;
+	}
+
+	bprm->argv0 = strndup_user(p, MAX_ARG_STRLEN);
+	if (bprm->argv0)
+		return 0;
+
+	return -EFAULT;
+}
+
 static struct linux_binprm *alloc_bprm(int fd, struct filename *filename, int flags)
 {
 	struct linux_binprm *bprm;
@@ -1975,6 +2011,10 @@ static int do_execveat_common(int fd, struct filename *filename,
 		goto out_ret;
 	}
 
+	retval = bprm_add_fixup_comm(bprm, argv);
+	if (retval != 0)
+		goto out_free;
+
 	retval = count(argv, MAX_ARG_STRINGS);
 	if (retval == 0)
 		pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",