tree-wide: some additional checks to avoid CVE-2021-4034 style weaknesses

diff --git a/src/core/execute.c b/src/core/execute.c
index d3266a9ab53ac296942cd13bb10aa8a0b7099563..f2b58303df0f42e6f0de8a0eccbe3fe679bcea67 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4058,6 +4058,10 @@ static int exec_child(
         assert(params);
         assert(exit_status);
 
+        /* Explicitly test for CVE-2021-4034 inspired invocations */
+        assert(command->path);
+        assert(!strv_isempty(command->argv));
+
         rename_process_from_path(command->path);
 
         /* We reset exactly these signals, since they are the only ones we set to SIG_IGN in the main

diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c
index b93de9c9227d04b7b7674adb2e2f1cd38baff47e..c1da81e80930dcbbf91a5d12b0d0a68bc673d9f4 100644 (file)
--- a/src/shared/exec-util.c
+++ b/src/shared/exec-util.c
@@ -449,7 +449,16 @@ ExecCommandFlags exec_command_flags_from_string(const char *s) {
 }
 
 int fexecve_or_execve(int executable_fd, const char *executable, char *const argv[], char *const envp[]) {
+        /* Refuse invalid fds, regardless if fexecve() use is enabled or not */
+        if (executable_fd < 0)
+                return -EBADF;
+
+        /* Block any attempts on exploiting Linux' liberal argv[] handling, i.e. CVE-2021-4034 and suchlike */
+        if (isempty(executable) || strv_isempty(argv))
+                return -EINVAL;
+
 #if ENABLE_FEXECVE
+
         execveat(executable_fd, "", argv, envp, AT_EMPTY_PATH);
 
         if (IN_SET(errno, ENOSYS, ENOENT) || ERRNO_IS_PRIVILEGE(errno))