From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44295) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckuyX-0008JT-LX for qemu-devel@nongnu.org; Mon, 06 Mar 2017 10:55:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckuyU-0000vc-Jb for qemu-devel@nongnu.org; Mon, 06 Mar 2017 10:55:05 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54122) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckuyU-0000vH-AT for qemu-devel@nongnu.org; Mon, 06 Mar 2017 10:55:02 -0500 References: <20170306071721.26708-1-ppandit@redhat.com> <20170306071721.26708-2-ppandit@redhat.com> From: Eric Blake Message-ID: Date: Mon, 6 Mar 2017 09:54:59 -0600 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="co45fEbdpGkd6FniRboxlMBGQ55IvBwJf" Subject: Re: [Qemu-devel] [PATCH v2 1/2] linux-user: limit number of arguments to execve List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell , P J P Cc: Qemu Developers , Riku Voipio , Jann Horn , Prasad J Pandit This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --co45fEbdpGkd6FniRboxlMBGQ55IvBwJf From: Eric Blake To: Peter Maydell , P J P Cc: Qemu Developers , Riku Voipio , Jann Horn , Prasad J Pandit Message-ID: Subject: Re: [PATCH v2 1/2] linux-user: limit number of arguments to execve References: <20170306071721.26708-1-ppandit@redhat.com> <20170306071721.26708-2-ppandit@redhat.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/06/2017 09:42 AM, Peter Maydell wrote: > On 6 March 2017 at 07:17, P J P wrote: >> From: Prasad J Pandit >> >> Limit the number of arguments passed to execve(2) call from >> a user program, as large number of them could lead to a bad >> guest address error. >> >> Reported-by: Jann Horn >> Signed-off-by: Prasad J Pandit >> --- >> linux-user/syscall.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> { >> +#define ARG_MAX 65535 >> char **argp, **envp; >> int argc, envc; >> abi_ulong gp; >> @@ -7794,6 +7795,11 @@ abi_long do_syscall(void *cpu_env, int num, abi= _long arg1, >> envc++; >> } >> >> + if (argc > ARG_MAX || envc > ARG_MAX) { >> + gemu_log("argc(%d), envc(%d) exceed %d\n", argc, envc= , ARG_MAX); >> + ret =3D -TARGET_E2BIG; >> + break; >> + } >> argp =3D alloca((argc + 1) * sizeof(void *)); >> envp =3D alloca((envc + 1) * sizeof(void *)); >=20 >=20 > We need to fix this by not using alloca(), not by imposing > an arbitrary limit that's still rather over-large for an > alloca allocation, as Eric suggested. And patch 2/2 does that. Does that patch in isolation fix the problem? In which case, we don't want this patch. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --co45fEbdpGkd6FniRboxlMBGQ55IvBwJf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJYvYZTAAoJEKeha0olJ0NqeaYH/0101NQVd3n2fn/4aQhQoub4 QmAblwi6Tnd1vg+8yY/LtoomyJERZteOOh4WsA72scHbOEvvrP8GgJpomdg1/jOO 2ucolGUwfVTllIWg3Y0e8o0ys1IP24rVynKsc3V7qH3KIMIZqvgV6M355RD+BMh+ ODLcuRmsJZ31WuXRLrfXqpcTI0YjfI7EaYH1NvGr6RSLJ77gbO2X52leSAsyQR46 e3qqRw0Zi9y8SZqQoUB+rpkbBlcwFLoT46OFc8aweNVVGbgXFLDXiOc0y896BL56 UN53U17JribOQCskPMQiup0gMPnx/2acy8YjEAk3mr3VhibsLv+S4ITyOPVswHA= =akZK -----END PGP SIGNATURE----- --co45fEbdpGkd6FniRboxlMBGQ55IvBwJf--