Skip to content

nixos/wrappers: require argc to be at least one#156822

Merged
lheckemann merged 2 commits intoNixOS:masterfrom
sugar700:wrapper-assert-argc-at-least-one
May 16, 2022
Merged

nixos/wrappers: require argc to be at least one#156822
lheckemann merged 2 commits intoNixOS:masterfrom
sugar700:wrapper-assert-argc-at-least-one

Conversation

@sugar700
Copy link
Member

@sugar700 sugar700 commented Jan 26, 2022
edited
Loading

setuid applications were exploited in the past with an empty argc, such as pkexec using CVE-2021-4034. In order to avoid the risk of such vulnerabilities in the future, wrapper was updated to prevent calling setuid like this.

See #156750.

Motivation for this change
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jan 26, 2022
@sugar700 sugar700 force-pushed the wrapper-assert-argc-at-least-one branch from cc0364a to 2b214f0 Compare January 26, 2022 08:07
@sugar700
Copy link
Member Author

sugar700 commented Jan 26, 2022

@ofborg test sudo

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 26, 2022
@dasJ dasJ requested a review from Mic92 January 26, 2022 08:29
@xbreak
Copy link
Contributor

xbreak commented Jan 26, 2022

@xfix: Does the assertion work in release builds? It very well might, but it seems to me that undefining NDEBUG after <assert.h> has been included, as is done in wrapper.c, won't affect the assert() macro, which is the explicit purpose.

If NDEBUG is defined as a macro name at the point in the source file where <assert.h> is included, the assert macro is defined simply as

    #define assert(ignore) ((void)0)

- http://port70.net/~nsz/c/c89/c89-draft.html#4.2

https://github.com/NixOS/nixpkgs/blob/2b214f0a824bacd87bac1cfe09007a632959a0d4/nixos/modules/security/wrappers/wrapper.c#L1-L22

@sugar700
Copy link
Member Author

sugar700 commented Jan 26, 2022
edited
Loading

Well, the program was using assert like this already, and there is #undef NDEBUG to make sure asserts get compiled. I think it's a weird use of assert, but I don't want to do heavy refactors of this code.

EDIT: Oh, I see what you mean. I will be checking assert.h header and probably do some refactors.

@sugar700 sugar700 force-pushed the wrapper-assert-argc-at-least-one branch from 2b214f0 to 79fdb10 Compare January 26, 2022 13:57
@sugar700
Copy link
Member Author

sugar700 commented Jan 26, 2022

Created new assert macro that doesn't look at NDEBUG.

@sugar700 sugar700 force-pushed the wrapper-assert-argc-at-least-one branch from 79fdb10 to 284eb98 Compare January 26, 2022 14:00
@sugar700
Copy link
Member Author

sugar700 commented Jan 26, 2022

@ofborg test sudo

cole-h
cole-h reviewed Jan 27, 2022
View reviewed changes
@sugar700 sugar700 force-pushed the wrapper-assert-argc-at-least-one branch from 284eb98 to 3cbdcb5 Compare January 27, 2022 07:15
@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 27, 2022
matthiasbeyer
matthiasbeyer reviewed Jan 28, 2022
View reviewed changes
@sugar700
nixos/wrappers: create a new assert macro that always asserts
1009d6e 
C's assert macro only works when NDEBUG is undefined. Previously
NDEBUG was undefined incorrectly which meant that the assert
macros in wrapper.c did not work.
@sugar700
nixos/wrappers: require argc to be at least one
2a6a3d2 
setuid applications were exploited in the past with an empty
argv, such as pkexec using CVE-2021-4034.
@sugar700 sugar700 force-pushed the wrapper-assert-argc-at-least-one branch from 3cbdcb5 to 2a6a3d2 Compare January 28, 2022 11:26
@lheckemann lheckemann merged commit 7c035db into NixOS:master May 16, 2022
@github-actions github-actions bot mentioned this pull request May 16, 2022
Closed
1 task
@github-actions
Copy link
Contributor

github-actions bot commented May 16, 2022

Successfully created backport PR #173287 for release-21.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthiasbeyer matthiasbeyer matthiasbeyer left review comments

@cole-h cole-h cole-h left review comments

@dasJ dasJ dasJ approved these changes

@Mic92 Mic92 Awaiting requested review from Mic92

+1 more reviewer

@lheckemann lheckemann lheckemann approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sugar700 @xbreak @lheckemann @matthiasbeyer @dasJ @cole-h @mweinelt