From: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Leonard den Ottolander
<leonard-lists-2Avth2y2NeLyQNdsBcn8aGZHpeb/A1Y/@public.gmane.org>,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying
Date: Wed, 8 Mar 2017 16:05:38 -0500 [thread overview]
Message-ID: <f16cd7f8-f996-cf66-d640-50b0ccee06c7@redhat.com> (raw)
In-Reply-To: <1488997111.5155.10.camel@quad>
On 03/08/2017 01:18 PM, Leonard den Ottolander wrote:
> On Wed, 2017-03-08 at 12:54 -0500, Carlos O'Donell wrote:
>> In glibc we limit setuid applications, for example sanitizing their
>> environment where it would cause problems or alter behaviour in
>> unintended ways.
>>
>> Can we avoid imposing a limit on all applications?
>
> Not imposing a limit - btw, 0x7FFFFFFF *is* a limit albeit a ridiculous
> and dangerously large limit - is a bad idea, because it allows the
> aforementioned "heap-spraying" which is a serious attack vector.
>
> Note that 128KiB * 4096 arguments still adds up to 512MiB!!!
>
> If you don't feel the limit of 4096 arguments is sufficient please
> provide us with an example where that limit is insufficient.
(a) Justification.
A good design should not unduly limit what users can do without a good
justification.
It is my opinion that it is not enough data to say that a kernel build
is sufficient to justify a limit that will affect all applications.
Minimally I'd expect you to run with such a kernel patch through an entire
distro build cycle to see if anything else breaks. For example reaching
out to the Fedora or SUSE teams to test the patch in Rawhide or
Tumbleweed.
What if 4096 is too much? Why not lower? You could try using systemtap
or dtrace and running a distro start to finish and auditing the mean
values you see (see (c) for a discussion on ensuring the userspace tooling
remains correct after this change).
(b) Attack vector.
The privilege escalation in your example is caused by a fault in a
setuid application.
Can we impose stricter limits on setuid binaries instead of on all
binaries?
In glibc for example we do not allow certain environment variables to
impact the behaviour of setuid binaries e.g. MALLOC_PERTURB_ env var
is ignored in secure mode for setuid binaries (which might be used
for similar heap-spraying).
Can the kernel similarly enforce a different MAX_ARG_STRINGS for setuid?
(c) What limit is appropriate?
No limit is appropriate. Users should be able to use all of their system
resources to accomplish whatever task they need to get done.
Yes, portable applications have limits e.g. ARG_MAX, sysconf(_SC_ARG_MAX),
xargs --show-limits, getconf ARG_MAX etc. We should make sure that any
limit we set does not conflict with current implementations and standards
conformance.
Yes, limits should be balanced against security issues, and for setuid
binaries I agree, but you propose a blanket limit, which is why I'm asking
the question again: Can we impose stricter limits on setuid binaries
instead of on all binaries?
--
Cheers,
Carlos.
next prev parent reply other threads:[~2017-03-08 21:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-07 14:44 binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying Leonard den Ottolander
2017-03-08 17:54 ` Carlos O'Donell
[not found] ` <f7f9f60b-0f39-7dce-1778-3aa40ba198ef-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-08 18:18 ` Leonard den Ottolander
2017-03-08 18:21 ` Leonard den Ottolander
2017-03-08 20:47 ` Joseph Myers
2017-03-08 21:05 ` Carlos O'Donell [this message]
[not found] ` <f16cd7f8-f996-cf66-d640-50b0ccee06c7-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-09 14:04 ` Leonard den Ottolander
2017-03-09 14:35 ` Carlos O'Donell
2017-03-09 14:14 ` Leonard den Ottolander
2017-03-09 20:34 ` Carlos O'Donell
[not found] ` <81d8e14e-e110-4b96-5d45-8bb3b56f4866-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-10 12:10 ` Leonard den Ottolander
2017-03-14 0:51 ` Carlos O'Donell
[not found] ` <b736f01f-ef0a-56de-bf57-c6d3d74262a4-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-17 13:12 ` Leonard den Ottolander
2017-03-09 23:10 ` Joseph Myers
[not found] ` <alpine.DEB.2.20.1703092304110.23273-9YEB1lltEqivcGRMvF24k2I39yigxGEX@public.gmane.org>
2017-03-10 0:01 ` Carlos O'Donell
2017-03-08 18:48 ` Leonard den Ottolander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f16cd7f8-f996-cf66-d640-50b0ccee06c7@redhat.com \
--to=carlos-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=leonard-lists-2Avth2y2NeLyQNdsBcn8aGZHpeb/A1Y/@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).