git: 7393eedb039a - stable/13 - execve: disallow argc == 0

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Thu, 10 Feb 2022 20:22:15 UTC
The branch stable/13 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=7393eedb039acb7890da9743a8e8322827820b2c

commit 7393eedb039acb7890da9743a8e8322827820b2c
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2022-01-25 22:47:23 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2022-02-10 20:21:59 +0000

    execve: disallow argc == 0
    
    The manpage has contained the following verbiage on the matter for just
    under 31 years:
    
    "At least one argument must be present in the array"
    
    Previous to this version, it had been prefaced with the weakening phrase
    "By convention."
    
    Carry through and document it the rest of the way.  Allowing argc == 0
    has been a source of security issues in the past, and it's hard to
    imagine a valid use-case for allowing it.  Toss back EINVAL if we ended
    up not copying in any args for *execve().
    
    The manpage change can be considered "Obtained from: OpenBSD"
    
    (cherry picked from commit 773fa8cd136a5775241c3e3a70f1997633ebeedf)
    (cherry picked from commit c9afc7680f3e1f0510518de9de4264553a31aade)
---
 lib/libc/sys/execve.2                 | 5 ++++-
 lib/libc/tests/gen/posix_spawn_test.c | 9 +++------
 sys/kern/kern_exec.c                  | 6 ++++++
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/lib/libc/sys/execve.2 b/lib/libc/sys/execve.2
index a8f5aa14854b..1abadba13d91 100644
--- a/lib/libc/sys/execve.2
+++ b/lib/libc/sys/execve.2
@@ -28,7 +28,7 @@
 .\"     @(#)execve.2	8.5 (Berkeley) 6/1/94
 .\" $FreeBSD$
 .\"
-.Dd March 30, 2020
+.Dd January 26, 2022
 .Dt EXECVE 2
 .Os
 .Sh NAME
@@ -273,6 +273,9 @@ Search permission is denied for a component of the path prefix.
 The new process file is not an ordinary file.
 .It Bq Er EACCES
 The new process file mode denies execute permission.
+.It Bq Er EINVAL
+.Fa argv
+did not contain at least one element.
 .It Bq Er ENOEXEC
 The new process file has the appropriate access
 permission, but has an invalid magic number in its header.
diff --git a/lib/libc/tests/gen/posix_spawn_test.c b/lib/libc/tests/gen/posix_spawn_test.c
index 5e2c485473d0..46259cbf8cde 100644
--- a/lib/libc/tests/gen/posix_spawn_test.c
+++ b/lib/libc/tests/gen/posix_spawn_test.c
@@ -117,17 +117,14 @@ ATF_TC_BODY(posix_spawnp_enoexec_fallback_null_argv0, tc)
 {
 	char buf[FILENAME_MAX];
 	char *myargs[1];
-	int error, status;
-	pid_t pid, waitres;
+	int error;
+	pid_t pid;
 
 	snprintf(buf, sizeof(buf), "%s/spawnp_enoexec.sh",
 	    atf_tc_get_config_var(tc, "srcdir"));
 	myargs[0] = NULL;
 	error = posix_spawnp(&pid, buf, NULL, NULL, myargs, myenv);
-	ATF_REQUIRE(error == 0);
-	waitres = waitpid(pid, &status, 0);
-	ATF_REQUIRE(waitres == pid);
-	ATF_REQUIRE(WIFEXITED(status) && WEXITSTATUS(status) == 42);
+	ATF_REQUIRE(error == EINVAL);
 }
 
 ATF_TP_ADD_TCS(tp)
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 331508a59895..9148daf6182e 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -356,6 +356,12 @@ kern_execve(struct thread *td, struct image_args *args, struct mac *mac_p,
 	    exec_args_get_begin_envv(args) - args->begin_argv);
 	AUDIT_ARG_ENVV(exec_args_get_begin_envv(args), args->envc,
 	    args->endp - exec_args_get_begin_envv(args));
+
+	/* Must have at least one argument. */
+	if (args->argc == 0) {
+		exec_free_args(args);
+		return (EINVAL);
+	}
 	return (do_execve(td, args, mac_p, oldvmspace));
 }