We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2022-49264

exec: Force single empty string when argv is empty



Description

In the Linux kernel, the following vulnerability has been resolved: exec: Force single empty string when argv is empty Quoting[1] Ariadne Conill: "In several other operating systems, it is a hard requirement that the second argument to execve(2) be the name of a program, thus prohibiting a scenario where argc < 1. POSIX 2017 also recommends this behaviour, but it is not an explicit requirement[2]: The argument arg0 should point to a filename string that is associated with the process being started by one of the exec functions. ... Interestingly, Michael Kerrisk opened an issue about this in 2008[3], but there was no consensus to support fixing this issue then. Hopefully now that CVE-2021-4034 shows practical exploitative use[4] of this bug in a shellcode, we can reconsider. This issue is being tracked in the KSPP issue tracker[5]." While the initial code searches[6][7] turned up what appeared to be mostly corner case tests, trying to that just reject argv == NULL (or an immediately terminated pointer list) quickly started tripping[8] existing userspace programs. The next best approach is forcing a single empty string into argv and adjusting argc to match. The number of programs depending on argc == 0 seems a smaller set than those calling execve with a NULL argv. Account for the additional stack space in bprm_stack_limits(). Inject an empty string when argc == 0 (and set argc = 1). Warn about the case so userspace has some notice about the change: process './argc0' launched './argc0' with NULL argv: empty string added Additionally WARN() and reject NULL argv usage for kernel threads. [1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/ [2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html [3] https://bugzilla.kernel.org/show_bug.cgi?id=8408 [4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt [5] https://github.com/KSPP/linux/issues/176 [6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL&literal=0 [7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL&literal=0 [8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/

Reserved 2025-02-26 | Published 2025-02-26 | Updated 2025-02-26 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 41f6ea5b9aaa28b740d47ffe995a5013211fdbb0
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 98e0c7c702894987732776736c99b85ade6fba45
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b50fb8dbc8b81aaa126387de428f4c42a7c72a73
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1fe82bfd9e4ce93399d815ca458b58505191c3e8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 27a6f495b63a1804cc71be45911065db7757a98c
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1290eb4412aa0f0e9f3434b406dc8e255da85f9e
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before a8054d3fa5deb84b215d6be1b910a978f3cb840d
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before cfbfff8ce5e3d674947581f1eb9af0a1b1807950
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before dcd46d897adb70d63e025f175a00a89797d31a43
affected

Default status
affected

4.9.317
unaffected

4.14.282
unaffected

4.19.246
unaffected

5.4.197
unaffected

5.10.110
unaffected

5.15.33
unaffected

5.16.19
unaffected

5.17.2
unaffected

5.18
unaffected

References

git.kernel.org/...c/41f6ea5b9aaa28b740d47ffe995a5013211fdbb0

git.kernel.org/...c/98e0c7c702894987732776736c99b85ade6fba45

git.kernel.org/...c/b50fb8dbc8b81aaa126387de428f4c42a7c72a73

git.kernel.org/...c/1fe82bfd9e4ce93399d815ca458b58505191c3e8

git.kernel.org/...c/27a6f495b63a1804cc71be45911065db7757a98c

git.kernel.org/...c/1290eb4412aa0f0e9f3434b406dc8e255da85f9e

git.kernel.org/...c/a8054d3fa5deb84b215d6be1b910a978f3cb840d

git.kernel.org/...c/cfbfff8ce5e3d674947581f1eb9af0a1b1807950

git.kernel.org/...c/dcd46d897adb70d63e025f175a00a89797d31a43

cve.org (CVE-2022-49264)

nvd.nist.gov (CVE-2022-49264)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2022-49264

Support options

Helpdesk Chat, Email, Knowledgebase
MonTueWedThuFriSatSun
242526272812345678910111213141516171819202122232425262728293031123456
MonTueWedThuFriSatSun
242526272812345678910111213141516171819202122232425262728293031123456