From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24594D29FB3 for ; Wed, 6 Nov 2024 08:22:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 589686B0083; Wed, 6 Nov 2024 03:22:53 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 538706B0085; Wed, 6 Nov 2024 03:22:53 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3D8CA6B0088; Wed, 6 Nov 2024 03:22:53 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 1E9DB6B0083 for ; Wed, 6 Nov 2024 03:22:53 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id A5D5316198F for ; Wed, 6 Nov 2024 08:22:52 +0000 (UTC) X-FDA: 82754977956.27.A467CF5 Received: from fhigh-a8-smtp.messagingengine.com (fhigh-a8-smtp.messagingengine.com [103.168.172.159]) by imf11.hostedemail.com (Postfix) with ESMTP id 8171340012 for ; Wed, 6 Nov 2024 08:22:08 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=shutemov.name header.s=fm1 header.b="m feqlBA"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=YC+I0dR0; dmarc=none; spf=pass (imf11.hostedemail.com: domain of kirill@shutemov.name designates 103.168.172.159 as permitted sender) smtp.mailfrom=kirill@shutemov.name ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1730881247; a=rsa-sha256; cv=none; b=VtC025EGlEcgJFrBuThD+dkCYZpeszGVS7/MsegS+robaJ+7NHNPYqBq3i9FOaAB11uzYP ioZtVlw9UDdUT0IvJEuBa2RiG458h0lrnZ+LDnyh1baBSwqZHZQ3ZFjbovbuWh1CfOYly6 sspO9Af+0cM4X2jYUTeqnpSGKyeq3jI= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=shutemov.name header.s=fm1 header.b="m feqlBA"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=YC+I0dR0; dmarc=none; spf=pass (imf11.hostedemail.com: domain of kirill@shutemov.name designates 103.168.172.159 as permitted sender) smtp.mailfrom=kirill@shutemov.name ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1730881247; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=cUJGhA+EqaCERMowqa0oAWZk0dGBxuPHW0azPfwVRNw=; b=dyzWUoE4qzHjG3cGku1TiY8KTRGh6XpCvg9wsjABMNPBbQbqVEe+VU4NXiwJhSpO9SMZbE UNjgWcSq3Qenrp5yru6K2BHNST9zJY25dqyhBl9tFG7J462hLicvIAqwLOqk4yX972pzO+ DN5FGY5SrRfboDlLszIlzX3Ob9vH2xQ= Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfhigh.phl.internal (Postfix) with ESMTP id A6D84114014A; Wed, 6 Nov 2024 03:22:49 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-01.internal (MEProxy); Wed, 06 Nov 2024 03:22:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1730881369; x= 1730967769; bh=cUJGhA+EqaCERMowqa0oAWZk0dGBxuPHW0azPfwVRNw=; b=m feqlBAU/iRdSmfdsB5UznNsL9kCz2Dq17My1bH1J9tV2n2qyAc/Mi2SkHck5flN1 pGmdrNCFiU/YUX5hVZfaTLSkX10MFNxJBl31diQdOPt38pG96QXPiYh1aGCrt6ud FJ6BDKv1RSaT6GDO7zWhcoZ9AuOnTl2FNElGXs1wX90p/kRLZy4HqA2+J/zmAYo1 yxkE1Ns353YcoFJhH4VBGm803+IazJBN76Qfvwgaf1yeyXxRryz100m9erfDOjey uoqRfp5cJwhcCFKdBJflwYcTFNicaKY/3F8iU/SXG6RXZ7kW9sXVVs2Lwnrau+xR lusnayucyjOmJOZCF9j2Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1730881369; x=1730967769; bh=cUJGhA+EqaCERMowqa0oAWZk0dGBxuPHW0a zPfwVRNw=; b=YC+I0dR0vYSMIv6f2/J+h29yFAkRQqdJC86GOMPsxlFRYeoEmnz kLANdnulyWGl5PSJsq6gY3+O+p6oriemCaJGLlyvaYe4KAnTw9OikVeJWR+km1Lm rr8StFwphn7D/LYtgDNWW23lgORQomup8HJ8qI1CXtdSQt6aIMi+qQoiOJ7BVlgv hU3oz6AA6wuDEB3LdtDb85iawnIbAmgn/KeP33jonTBvZQhSnSFiVIsl+2bCoWaZ cu0Ui5IwYD+AH39UP2Ioqhj3Tfoz/9rDGmnwtnlANsSDH5APzl1YfCksKKks7Zfj ykctJDvS4/y33i3VUcMOzc/nGNhm1TWX9SQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrtddugdduvddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepfffhvfevuffkfhggtggujgesthdtsfdttddtvden ucfhrhhomhepfdfmihhrihhllhcutedrucfuhhhuthgvmhhovhdfuceokhhirhhilhhlse hshhhuthgvmhhovhdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeltedugedtgfehuddu hfetleeiuedvtdehieejjedufeejfeegteetuddtgefgudenucffohhmrghinhepkhgvrh hnvghlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhf rhhomhepkhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgvpdhnsggprhgtphhtthhope duvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepkhgvvghssehkvghrnhgvlhdr ohhrghdprhgtphhtthhopehvihhrohesiigvnhhivhdrlhhinhhugidrohhrghdruhhkpd hrtghpthhtohepshihiigsohhtoddtfegvudgrfhehtgeffedvfhejvgdtvggskeegsges shihiihkrghllhgvrhdrrghpphhsphhothhmrghilhdrtghomhdprhgtphhtthhopegsrh gruhhnvghrsehkvghrnhgvlhdrohhrghdprhgtphhtthhopehjrggtkhesshhushgvrdgt iidprhgtphhtthhopegvsghivgguvghrmhesgihmihhsshhiohhnrdgtohhmpdhrtghpth htoheplhhinhhugidqfhhsuggvvhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgt phhtthhopehlihhnuhigqdhmmheskhhvrggtkhdrohhrghdprhgtphhtthhopehtrghnug gvrhhsvghnsehnvghtfhhlihigrdgtohhm X-ME-Proxy: Feedback-ID: ie3994620:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 6 Nov 2024 03:22:45 -0500 (EST) Date: Wed, 6 Nov 2024 10:22:37 +0200 From: "Kirill A. Shutemov" To: Kees Cook Cc: Al Viro , syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com, Christian Brauner , Jan Kara , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, Tycho Andersen , Zbigniew =?utf-8?Q?J=C4=99drzejewski-Szmek?= , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] exec: NULL out bprm->argv0 when it is an ERR_PTR Message-ID: References: <20241105181905.work.462-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20241105181905.work.462-kees@kernel.org> X-Rspamd-Queue-Id: 8171340012 X-Stat-Signature: ynza4x4ibj3pce7wzsdee5da3ihx9375 X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1730881328-792706 X-HE-Meta: U2FsdGVkX1/2FVzVMPKv91E8fGdTxjAjfkGLCXC8PAxYid296qRuIDz5TmOdqohJX6NVkbqYlqTZDNRET/SPqLrhya8uKGNfTe4qYieOnP712AhqjWaX2bWqVgY7Xovb2zk8huyi+IAfKRY/T660MCAFpslrovqTWRNtaYR9Hc5Uu4Ti1/iG/RbshgBtlFDTXIMkB8yGn2XMizvReAzNONXDB481aEKx/HZ641OHcKXb1aBc3wAPCVXrLJP6mtDCYR9d41x0DvGAEboMdJSCWzuBlEuLx2vl4gW3JlnJX+QwXOvcpCRUXxxGY0TnW7hnF07N6NkLvTSqWhC3bI3YdAT5AaV2ZINHyPXVWPN+k9B/hKI8rN8UWwxef8mWEQCHi2NreJjLKshxWqNJDGz93RyZAwe929cpNYTJvG2tQsslpcxyRa2imROltQlaFEv3wFZke7o2KeFKmF5VAYnXiA/v3kGsJ4I67alv6eWYN5U8bU7QU2dEThIZ9cxiS5CZqdqdJn6/737hY2Vzx3QhQGF1WBzpveBDwLvJVQw9U1phQh/9NL/mSgB3hfCXaJCH/0hypDBnwa9wokB+qO30W27hueGvUA834QBpFOBV2IffHff8jXoONHjBwYzzE63xRWKr1pwaCXM3egz8AfWR1/b0X6XVuHkL0fOtwWKp7O1UnQGNWEvZSHrvcLRAPt/TzsHBjOdYgHMEEtia+Rn+Brj/RY4of9AMxNesiZyGNt3BwoIo7u4b4Vw2QuJlH3Z/TVpAUThK7S95TgFRGgVTV7TzYJVRTlH/4vqGkLPzKV3KjiV8ALFPoAxWV3QfLMkTqNrleBCtEKCnBn/1YcGKrmBby3SxUo4SglIEioBe/d15dAl8DG1jQYW1DMWw48CCcW8BcAK3yKbX7Yvy/XB+wau79/mwYylxJ75rLWTCvq0jSp7LIV5u2MsWRQOwMnCJe+pQ/pLBA/D5VcVsZfj ObnTATmR NcHfQOCpeDX32a+wdkhXbLmjrf9f1ykVHgJ0LVF0ZAYAAm2AycimiBF6xoSHPi5sfJMdeGDnDWnpQ4UAgRymM4VSwlO1vC60kMPArB1IOoW7Zthlqsmqu5oTS7JgL97c9AbhDrWwcpR6/CWgd3KgytR1fOohSDtFsqTCB4eBMwCOaQ8Iow/v3KHXbjUR1tt0NyuIgS4uz4+K8VLiswKW5OSP04JDXpAl3Olq6VIFqsDBZ6JlqlpFzpxW1NTEDKKCrblAZVaGRv1rCyVysgH+L9uTTjmsm/PpltMgM+wZkx7hLhC1RErg7phbHE1zhsV5yJKw5Byuk9R60+yxOHn55V0fYSYD5AwKMqDXykYarsT0cG1xQB++5jpf7cJwpTSA2x1YWNj1Csbo651hzCFYDz08bhGZd9LvZ8tOs8NW0M30iKGJ7oKDWVmcc0Ha8zxxmsq8wOihiT+2mzRfh6Pb5afSmQghgqEQi9YJgBOJV07ROsBe4CrVKENIGB7sh6QARtsbvoXlVzxzJ3yiMJG0/po7RmmRWJ6PzbIwU3tjvQsuveSG4nUuqErU6d+lnBtoYATgic0anjdSxdfEjKkFrzY10kSxDDhmugB/RZwnIixJ204tBxhBwGG2d8NUSH+eYp94IgBNP+NGynJDZnO1w8Pleq0XpXYF91r+6I9FLhegrO0TrPyBQfirdkIxlv2Ll1Ts+P4a0d/OQqp4AbOXSmT7QWyu1/46Le7//877VDrkdc3SgOVB6w7qNNjh+A0phwY1D6Ve18j6c7eNARnLTmATUySIBYYJRAS98DrI1Cb4TqIkOhb2upQ1B2dg0FNlrYoqF X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Nov 05, 2024 at 10:19:11AM -0800, Kees Cook wrote: > Attempting to free an ERR_PTR will not work. ;) > > process 'syz-executor210' launched '/dev/fd/3' with NULL argv: empty string added > kernel BUG at arch/x86/mm/physaddr.c:23! > > Set bprm->argv0 to NULL if it fails to get a string from userspace so > that bprm_free() will not try to free an invalid pointer when cleaning up. > > Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/6729d8d1.050a0220.701a.0017.GAE@google.com > Fixes: 7bdc6fc85c9a ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") > Signed-off-by: Kees Cook > --- > Cc: Alexander Viro > Cc: Christian Brauner > Cc: Jan Kara > Cc: Eric Biederman > Cc: linux-fsdevel@vger.kernel.org > Cc: linux-mm@kvack.org Acked-by: Kirill A. Shutemov -- Kiryl Shutsemau / Kirill A. Shutemov