Merge tag 'v5.10.115' of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux into ti-linux-5.10.y

This is the 5.10.115 stable release

* tag 'v5.10.115' of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux: (1162 commits)
  Linux 5.10.115
  mmc: rtsx: add 74 Clocks in power on flow
  PCI: aardvark: Fix reading MSI interrupt number
  PCI: aardvark: Clear all MSIs at setup
  dm: interlock pending dm_io and dm_wait_for_bios_completion
  block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern
  rcu: Apply callbacks processing time limit only on softirq
  rcu: Fix callbacks processing time limit retaining cond_resched()
  KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised
  KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs
  KVM: x86: Do not change ICR on write to APIC_SELF_IPI
  x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume
  net/mlx5: Fix slab-out-of-bounds while reading resource dump menu
  kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
  net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
  btrfs: always log symlinks in full mode
  smsc911x: allow using IRQ0
  selftests: ocelot: tc_flower_chains: specify conform-exceed action for policer
  bnxt_en: Fix unnecessary dropping of RX packets
  bnxt_en: Fix possible bnxt_open() failure caused by wrong RFS flag
  ...

Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>

1 files changed, 25 insertions, 1 deletions

diff --git a/fs/exec.c b/fs/exec.c
index ca89e0e3ef10..bcd86f2d176c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -494,8 +494,14 @@ static int bprm_stack_limits(struct linux_binprm *bprm)
 	 * the stack. They aren't stored until much later when we can't
 	 * signal to the parent that the child has run out of stack space.
 	 * Instead, calculate it here so it's possible to fail gracefully.
+	 *
+	 * In the case of argc = 0, make sure there is space for adding a
+	 * empty string (which will bump argc to 1), to ensure confused
+	 * userspace programs don't start processing from argv[1], thinking
+	 * argc can never be 0, to keep them from walking envp by accident.
+	 * See do_execveat_common().
 	 */
-	ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
+	ptr_size = (max(bprm->argc, 1) + bprm->envc) * sizeof(void *);
 	if (limit <= ptr_size)
 		return -E2BIG;
 	limit -= ptr_size;
@@ -1886,6 +1892,9 @@ static int do_execveat_common(int fd, struct filename *filename,
 	}
 
 	retval = count(argv, MAX_ARG_STRINGS);
+	if (retval == 0)
+		pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
+			     current->comm, bprm->filename);
 	if (retval < 0)
 		goto out_free;
 	bprm->argc = retval;
@@ -1912,6 +1921,19 @@ static int do_execveat_common(int fd, struct filename *filename,
 	if (retval < 0)
 		goto out_free;
 
+	/*
+	 * When argv is empty, add an empty string ("") as argv[0] to
+	 * ensure confused userspace programs that start processing
+	 * from argv[1] won't end up walking envp. See also
+	 * bprm_stack_limits().
+	 */
+	if (bprm->argc == 0) {
+		retval = copy_string_kernel("", bprm);
+		if (retval < 0)
+			goto out_free;
+		bprm->argc = 1;
+	}
+
 	retval = bprm_execve(bprm, fd, filename, flags);
 out_free:
 	free_bprm(bprm);
@@ -1940,6 +1962,8 @@ int kernel_execve(const char *kernel_filename,
 	}
 
 	retval = count_strings_kernel(argv);
+	if (WARN_ON_ONCE(retval == 0))
+		retval = -EINVAL;
 	if (retval < 0)
 		goto out_free;
 	bprm->argc = retval;