Re: [syzbot] [ntfs?] WARNING in do_open_execat

From: Eric W. Biederman
Date: Fri Aug 18 2023 - 17:01:07 EST


Mateusz Guzik <mjguzik@xxxxxxxxx> writes:

> On Fri, Aug 18, 2023 at 11:26:51AM -0500, Eric W. Biederman wrote:
>> syzbot <syzbot+6ec38f7a8db3b3fb1002@xxxxxxxxxxxxxxxxxxxxxxxxx> writes:
>>
>> > Hello,
>> >
>> > syzbot found the following issue on:
>>
>> Not an issue.
>> Nothing to do with ntfs.
>>
>> The code is working as designed and intended.
>>
>> syzbot generated a malformed exec and the kernel made it
>> well formed and warned about it.
>>
>
> There is definitely an issue here.
>
> The warn on comes from:
> /*
> * may_open() has already checked for this, so it should be
> * impossible to trip now. But we need to be extra cautious
> * and check again at the very end too.
> */
> err = -EACCES;
> if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
> path_noexec(&file->f_path)))
> goto exit;
>
> Where path_noexec is:
> return (path->mnt->mnt_flags & MNT_NOEXEC) ||
> (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC);

My confusion.

I was seeing the message from
if (retval == 0)
pr_warn_once("process '%s' launched '%s' with NULL argv: empty string added\n",
current->comm, bprm->filename);

I made the mistake of assuming that that was generating the backtrace.
The lack of args to execveat appears to be working fine.

I see you tracked this down to a non-exhaustive check in may_open.
Apologies for the noise.

Eric