Kernel: Return error from sys$execve() when called with zero arguments

There are many assumptions in the stack that argc is not zero, and argv[0] points to a valid string. The recent pwnkit exploit on Linux was able to exploit this assumption in the `pkexec` utility (a SUID-root binary) to escalate from any user to root. By convention `execve(..)` should always be called with at least one valid argument, so lets enforce that semantic to harden the system against vulnerabilities like pwnkit. Reference: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
2025-07-25 06:47:35 +00:00 · 2022-01-26 03:13:06 -08:00 · 2022-01-26 03:13:06 -08:00 · e954b4bdd4
commit e954b4bdd4
parent 4383b26faa
1 changed files with 5 additions and 0 deletions
--- a/Kernel/Syscalls/execve.cpp
+++ b/Kernel/Syscalls/execve.cpp
@ -851,6 +851,11 @@ ErrorOr<FlatPtr> Process::sys$execve(Userspace<const Syscall::SC_execve_params*>
        if (params.arguments.length > ARG_MAX || params.environment.length > ARG_MAX)
            return E2BIG;

+        // NOTE: The caller is expected to always pass at least one argument by convention,
+        //       the program path that was passed as params.path.
+        if (params.arguments.length == 0)
+            return EINVAL;
+
        auto path = TRY(get_syscall_path_argument(params.path));

        auto copy_user_strings = [](const auto& list, auto& output) -> ErrorOr<void> {