xref: /aosp_15_r20/external/ltp/testcases/kernel/syscalls/execve/execve06.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2022 Cyril Hrubis <[email protected]>
4  */
5 
6 /*\
7  * [Description]
8  *
9  * Test that kernel adds dummy argv[0] if empty argument list was passed to
10  * execve(). This fixes at least one CVE where userspace programs start to
11  * process argument list blindly from argv[1] such as polkit pkexec
12  * CVE-2021-4034.
13  *
14  * See also https://lwn.net/Articles/883547/
15  */
16 
17 #include <stdlib.h>
18 #include <stdio.h>
19 #include "tst_test.h"
20 
verify_execve(void)21 static void verify_execve(void)
22 {
23 	pid_t pid;
24 	char path[512];
25 	char ipc_env_var[1024];
26 
27 	sprintf(ipc_env_var, IPC_ENV_VAR "=%s", getenv(IPC_ENV_VAR));
28 
29 	char *const envp[] = {ipc_env_var, NULL};
30 	char *const argv[] = {NULL};
31 
32 	if (tst_get_path("execve06_child", path, sizeof(path)))
33 		tst_brk(TCONF, "Couldn't find execve06_child in $PATH");
34 
35 	pid = SAFE_FORK();
36 	if (pid == 0) {
37 		execve(path, argv, envp);
38 		tst_brk(TFAIL | TERRNO, "Failed to execute execve06_child");
39 	}
40 }
41 
42 static struct tst_test test = {
43 	.forks_child = 1,
44 	.child_needs_reinit = 1,
45 	.test_all = verify_execve,
46 	.tags = (const struct tst_tag[]) {
47 		{"linux-git", "dcd46d897adb"},
48 		{"CVE", "2021-4034"},
49 		{}
50 	}
51 };
52