From 2a6a3d2c47626782f604a1fb4ec506c834efb47a Mon Sep 17 00:00:00 2001 From: Konrad Borowski Date: Thu, 27 Jan 2022 08:14:53 +0100 Subject: [PATCH] nixos/wrappers: require argc to be at least one setuid applications were exploited in the past with an empty argv, such as pkexec using CVE-2021-4034. --- nixos/modules/security/wrappers/wrapper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index 49fc6c0ad532..a21ec500208d 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -170,6 +170,7 @@ int readlink_malloc(const char *p, char **ret) { } int main(int argc, char **argv) { + ASSERT(argc >= 1); char *self_path = NULL; int self_path_size = readlink_malloc("/proc/self/exe", &self_path); if (self_path_size < 0) {