Brian Gianforcaro e954b4bdd4 Kernel: Return error from sys$execve() when called with zero arguments ...

There are many assumptions in the stack that argc is not zero, and
argv[0] points to a valid string. The recent pwnkit exploit on Linux
was able to exploit this assumption in the `pkexec` utility
(a SUID-root binary) to escalate from any user to root.

By convention `execve(..)` should always be called with at least one
valid argument, so lets enforce that semantic to harden the system
against vulnerabilities like pwnkit.

Reference: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

2022-01-26 13:05:59 +01:00

38 KiB

Raw Blame History

View Raw