From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751854AbdGGS5d (ORCPT <rfc822;w@1wt.eu>);
        Fri, 7 Jul 2017 14:57:33 -0400
Received: from mail-pg0-f42.google.com ([74.125.83.42]:32858 "EHLO
        mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750848AbdGGS5b (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 7 Jul 2017 14:57:31 -0400
Date: Fri, 7 Jul 2017 11:57:29 -0700
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Michal Hocko <mhocko@kernel.org>, Ben Hutchings <ben@decadent.org.uk>,
        Hugh Dickins <hughd@google.com>, Oleg Nesterov <oleg@redhat.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>, Rik van Riel <riel@redhat.com>,
        linux-kernel@vger.kernel.org
Subject: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3
Message-ID: <20170707185729.GA70967@beast>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

To avoid pathological stack usage or the need to special-case setuid
execs, just limit all arg stack usage to at most _STK_LIM / 4 * 3 (6MB).

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/exec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 904199086490..ddca2cf15f71 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -221,7 +221,6 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 	if (write) {
 		unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
 		unsigned long ptr_size;
-		struct rlimit *rlim;
 
 		/*
 		 * Since the stack will hold pointers to the strings, we
@@ -250,14 +249,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 			return page;
 
 		/*
-		 * Limit to 1/4-th the stack size for the argv+env strings.
+		 * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM
+		 * (whichever is smaller) for the argv+env strings.
 		 * This ensures that:
 		 *  - the remaining binfmt code will not run out of stack space,
 		 *  - the program will have a reasonable amount of stack left
 		 *    to work from.
 		 */
-		rlim = current->signal->rlim;
-		if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
+		if (size > min_t(unsigned long, rlimit(RLIMIT_STACK) / 4,
+						_STK_LIM / 4 * 3))
 			goto fail;
 	}
 
-- 
2.7.4


-- 
Kees Cook
Pixel Security