From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752006AbdFVBjS (ORCPT <rfc822;w@1wt.eu>);
        Wed, 21 Jun 2017 21:39:18 -0400
Received: from mx1.redhat.com ([209.132.183.28]:48432 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751113AbdFVBjR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Jun 2017 21:39:17 -0400
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 34EA880480
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=riel@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 34EA880480
Message-ID: <1498095554.13083.25.camel@redhat.com>
Subject: Re: [kernel-hardening] [PATCH] exec: Account for argv/envp pointers
From: Rik van Riel <riel@redhat.com>
To: Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
        Qualys Security Advisory <qsa@qualys.com>, linux-mm@kvack.org,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-hardening@lists.openwall.com
Date: Wed, 21 Jun 2017 21:39:14 -0400
In-Reply-To: <20170622001720.GA32173@beast>
References: <20170622001720.GA32173@beast>
Organization: Red Hat, Inc
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 22 Jun 2017 01:39:16 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2017-06-21 at 17:17 -0700, Kees Cook wrote:
> When limiting the argv/envp strings during exec to 1/4 of the stack
> limit,
> the storage of the pointers to the strings was not included. This
> means
> that an exec with huge numbers of tiny strings could eat 1/4 of the
> stack limit in strings and then additional space would be later used
> by the pointers to the strings. For example, on 32-bit with a 8MB
> stack
> rlimit, an exec with 1677721 single-byte strings would consume less
> than
> 2MB of stack, the max (8MB / 4) amount allowed, but the pointers to
> the
> strings would consume the remaining additional stack space (1677721 *
> 4 == 6710884). The result (1677721 + 6710884 == 8388605) would
> exhaust
> stack space entirely. Controlling this stack exhaustion could result
> in
> pathological behavior in setuid binaries (CVE-2017-1000365).
> 
> Fixes: b6a2fea39318 ("mm: variable length argument support")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Rik van Riel <riel@redhat.com>