From: Jann Horn <jannh@google.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Eric Blake <eblake@redhat.com>, P J P <ppandit@redhat.com>,
Qemu Developers <qemu-devel@nongnu.org>,
Riku Voipio <riku.voipio@iki.fi>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve
Date: Fri, 3 Mar 2017 17:00:14 +0100 [thread overview]
Message-ID: <CAG48ez3tR7dJJsDHA4cEawOSn4HxZghOAt2-Xk9sNVdSHb77tA@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA8m2YF4=BOODUJLmAr+Y1JoN2NSh3J+9Yqc__Hh59NXWA@mail.gmail.com>
On Fri, Mar 3, 2017 at 4:56 PM, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 3 March 2017 at 14:54, Eric Blake <eblake@redhat.com> wrote:
>>> + ret = -TARGET_EFAULT;
>>> + break;
>>> + }
>>> argp = alloca((argc + 1) * sizeof(void *));
>>> envp = alloca((envc + 1) * sizeof(void *));
>>
>> ...Uggh. You're using alloca() but allowing an allocation of way more
>> than 4k. That means a guest can cause corruption of the stack (or, with
>> large enough arguments, even escape out of the stack) before you even
>> get to the execve() call to even worry about E2BIG issues.
>
> Yeah, linux-user is shot through with that kind of alloca() usage.
>
> (It's not great, but it's not a security hole because we already
> give the guest binary complete control to do anything it likes.
> Worth fixing bugs if we run into them, though.)
It could be a security hole if a benign guest userspace process decides to
allow a remote client to specify a bunch of environment variables or so.
E.g. HTTP servers with CGI support pass HTTP headers on as
environment variables whose names start with "HTTP_"; however, since
HTTP servers usually limit the request size, this isn't actually exploitable
in that case. But there could theoretically be similar scenarios.
next prev parent reply other threads:[~2017-03-03 16:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-03 11:25 [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve P J P
2017-03-03 14:54 ` Eric Blake
2017-03-03 15:56 ` Peter Maydell
2017-03-03 16:00 ` Jann Horn [this message]
2017-03-06 7:20 ` P J P
2017-03-03 15:55 ` Peter Maydell
2017-03-03 15:57 ` Jann Horn
2017-03-03 15:59 ` Peter Maydell
2017-03-06 5:26 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez3tR7dJJsDHA4cEawOSn4HxZghOAt2-Xk9sNVdSHb77tA@mail.gmail.com \
--to=jannh@google.com \
--cc=eblake@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=riku.voipio@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).