From: Eric Blake <eblake@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Riku Voipio <riku.voipio@iki.fi>, Jann Horn <jannh@google.com>,
Peter Maydell <peter.maydell@linaro.org>
Subject: Re: [Qemu-devel] [PATCH v2 2/2] linux-user: allocate heap memory for execve arguments
Date: Mon, 6 Mar 2017 12:11:20 -0600 [thread overview]
Message-ID: <8ba0840f-43cf-601d-f0ea-3094b935c4b0@redhat.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1703062325370.6862@wniryva>
[-- Attachment #1: Type: text/plain, Size: 1694 bytes --]
On 03/06/2017 12:06 PM, P J P wrote:
> +-- On Mon, 6 Mar 2017, Eric Blake wrote --+
> | On 03/06/2017 01:17 AM, P J P wrote:
> | > Arguments passed to execve(2) call from user program could
> | > be large, allocating stack memory for them via alloca(3) call
> | > would lead to bad behaviour. Use 'g_malloc0' to allocate memory
> | > for such arguments.
> | >
> | > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> | > ---
> | > linux-user/syscall.c | 7 +++++--
> | > 1 file changed, 5 insertions(+), 2 deletions(-)
> |
> | Is this patch alone (without 1/2) sufficient to solve the problem? If
> | so, then drop 1/2.
>
> Yes, it seems to fix the issue. Still I think having ARG_MAX limit would be
> good, as system exec(3) routines too impose _SC_ARG_MAX limit. I'll send a
> revised patch with 'g_try_new' call instead of g_malloc0.
If you impose any limit smaller than _SC_ARG_MAX, you are needlessly
limiting things. Furthermore, _SC_ARG_MAX may not always be the same
value, depending on how the kernel was compiled. So it's probably
asiest to just let execve() impose its own limits (and correctly report
errors to the caller when execve() fails), rather than trying to impose
limits yourself.
In short, the bug that you are fixing is not caused by the guest
requesting something beyond execve() limits, but caused by poor use of
alloca() leading to a stack overrun. You only need to fix the bug (by
switching alloca() to heap allocation), not introduce additional ones
(by imposing arbitrary, and probably wrong, limits).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
next prev parent reply other threads:[~2017-03-06 18:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-06 7:17 [Qemu-devel] [PATCH v2 0/2] Limit and protect execve arguments P J P
2017-03-06 7:17 ` [Qemu-devel] [PATCH v2 1/2] linux-user: limit number of arguments to execve P J P
2017-03-06 15:42 ` Peter Maydell
2017-03-06 15:54 ` Eric Blake
2017-03-06 7:17 ` [Qemu-devel] [PATCH v2 2/2] linux-user: allocate heap memory for execve arguments P J P
2017-03-06 15:53 ` Eric Blake
2017-03-06 16:08 ` Eric Blake
2017-03-06 18:06 ` P J P
2017-03-06 18:11 ` Eric Blake [this message]
2017-03-06 18:43 ` P J P
2017-03-06 15:57 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ba0840f-43cf-601d-f0ea-3094b935c4b0@redhat.com \
--to=eblake@redhat.com \
--cc=jannh@google.com \
--cc=peter.maydell@linaro.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=riku.voipio@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).